Proposed Supervisory Guidance, 1351-1362 [2018-00294]
Download as PDF
<![CDATA[
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
FARM CREDIT SYSTEM INSURANCE
CORPORATION
FEDERAL RESERVE SYSTEM
Regular Meeting; Farm Credit System
Insurance Corporation Board
Proposed Supervisory Guidance
[Docket No. OP–1594]
Board of Governors of the
Federal Reserve System (Board).
ACTION: Proposed supervisory guidance.
AGENCY:
Farm Credit System Insurance
Corporation.
AGENCY:
ACTION:
Notice, regular meeting.
Dated: January 8, 2018.
Dale L. Aultman,
Secretary, Farm Credit System Insurance
Corporation Board.
The Board is seeking
comment on proposed guidance
describing core principles of effective
senior management, the management of
business lines, and independent risk
management and controls for large
financial institutions. The proposal
would apply to domestic bank holding
companies with total consolidated
assets of $50 billion or more; savings
and loan holding companies with total
consolidated assets of $50 billion or
more; the combined U.S. operations of
foreign banking organizations with
combined U.S. assets of $50 billion or
more; any state member bank
subsidiaries of the foregoing; and
systemically important nonbank
financial companies designated by the
Financial Stability Oversight Council for
supervision by the Board.
DATES: Comments must be received no
later than March 15, 2018.
ADDRESSES: Interested parties are
invited to submit written comments by
following the instructions for submitting
comments at https://
www.federalreserve.gov/generalinfo/
foia/ProposedRegs.cfm.
• Federal eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
• Email: regs.comments@
federalreserve.gov. Include the docket
number in the subject line of the
message.
• Fax: (202) 452–3819 or (202) 452–
3102.
• Mail: Address to Ann E. Misback,
Secretary, Board of Governors of the
Federal Reserve System, 20th Street and
Constitution Avenue NW, Washington,
DC 20551.
All public comments will be made
available on the Board’s website at
https://www.federalreserve.gov/
generalinfo/foia/ProposedRegs.cfm as
submitted, unless modified for technical
reasons. Accordingly, comments will
not be edited to remove any identifying
or contact information. Public
comments may also be viewed
electronically or in paper in Room 3515,
1801 K Street NW (between 18th and
19th Street NW), Washington, DC 20006
between 9:00 a.m. and 5:00 p.m. on
weekdays.
[FR Doc. 2018–00350 Filed 1–10–18; 8:45 am]
FOR FURTHER INFORMATION CONTACT:
BILLING CODE 6710–01–P
Michael Hsu, Associate Director, (202)
SUMMARY:
Notice is hereby given of the
regular meeting of the Farm Credit
System Insurance Corporation Board
(Board).
SUMMARY:
The meeting of the Board will be
held at the offices of the Farm Credit
Administration in McLean, Virginia, on
January 18, 2018, from 2:00 p.m. until
such time as the Board concludes its
business.
DATES:
Farm Credit System
Insurance Corporation, 1501 Farm
Credit Drive, McLean, Virginia 22102.
Submit attendance requests via email to
VisitorRequest@FCA.gov. See
SUPPLEMENTARY INFORMATION for further
information about attendance requests.
ADDRESSES:
FOR FURTHER INFORMATION CONTACT:
Dale
L. Aultman, Secretary to the Farm
Credit System Insurance Corporation
Board, (703) 883–4009, TTY (703) 883–
4056, aultmand@fca.gov.
This
meeting of the Board will be open to the
public (limited space available). Please
send an email to VisitorRequest@
FCA.gov at least 24 hours before the
meeting. In your email include: Name,
postal address, entity you are
representing (if applicable), and
telephone number. You will receive an
email confirmation from us. Please be
prepared to show a photo identification
when you arrive. If you need assistance
for accessibility reasons, or if you have
any questions, contact Dale L. Aultman,
Secretary to the Farm Credit System
Insurance Corporation Board, at (703)
883–4009. The matters to be considered
at the meeting are:
SUPPLEMENTARY INFORMATION:
srobinson on DSK9F5VC42PROD with NOTICES
Open Session
A. Approval of Minutes
• December 14, 2017
B. New Business
• Review of Insurance Premium Rates
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
PO 00000
Frm 00025
Fmt 4703
Sfmt 4703
1351
912–4330, Richard Naylor, Associate
Director, (202) 728–5854, Vaishali Sack,
Manager, (202) 452–5221, April Snyder,
Manager, (202) 452–3099, David Palmer,
Senior Supervisory Financial Analyst,
(202) 452–2904, Jennifer Su, Senior
Supervisory Financial Analyst, (202)
475–6348, Christine Graham, Senior
Supervisory Financial Analyst, (202)
452–3005, Division of Supervision and
Regulation; Laurie Schaffer, Associate
General Counsel, (202) 452–2272,
Benjamin W. McDonough, Assistant
General Counsel, (202) 452–2036, Scott
Tkacz, Senior Counsel, (202) 452–2744,
Keisha Patrick, Senior Counsel, (202)
452–3559, or Christopher Callanan,
Senior Attorney, (202) 452–3594, Legal
Division, Board of Governors of the
Federal Reserve System, 20th and C
Streets NW, Washington, DC 20551. For
the hearing impaired only,
Telecommunications Device for the Deaf
(TDD) users may contact (202) 263–
4869.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Background
II. LFI Rating System and Board Effectiveness
Proposals
III. Implementation
IV. Objectives of the Proposed Guidance
V. Applicability
VI. Description of the Proposed Guidance
A. Core Principles of Effective Senior
Management
B. Core Principles of the Management of
Business Lines
C. Core Principles of Independent Risk
Management and Controls
I. Background
The Board invites comment on
proposed guidance setting forth core
principles of effective senior
management, the management of
business lines, and independent risk
management (‘‘IRM’’) and controls for
large financial institutions (‘‘LFIs’’).
This proposal is part of a broader
initiative by the Federal Reserve to
develop a supervisory rating system and
related supervisory guidance that would
align with its consolidated supervisory
framework for LFIs. Drawing on lessons
from the 2007–2009 financial crisis, the
Federal Reserve reevaluated its
approach to supervision of LFIs,
including systemically important firms.
In 2010, the Federal Reserve established
the Large Institution Supervision
Coordinating Committee (‘‘LISCC’’) to
coordinate its supervisory oversight for
the systemically important firms that
pose the greatest risk to U.S. financial
E:\FR\FM\11JAN1.SGM
11JAN1
1352
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
stability.1 In 2012, the Federal Reserve
implemented a new consolidated
supervisory program for LFIs (‘‘LFI
supervision framework’’) described in
SR letter 12–17.2 The LFI supervision
framework is focused on four core
areas—capital planning and positions,
liquidity risk management and
positions, governance and controls, and
resolution planning.3
srobinson on DSK9F5VC42PROD with NOTICES
II. LFI Rating System and Board
Effectiveness Proposals
In August 2017, the Board invited
comment on two proposals that relate to
this guidance, a new rating system for
LFIs (‘‘proposed LFI rating system’’) 4
and proposed guidance addressing
supervisory expectations for boards of
directors (‘‘BE proposal’’).5 On
November 17, 2017, the Board extended
the public comment period for the
proposed LFI rating system and BE
proposal until February 15, 2018, to give
the public an opportunity to understand
and comment on the proposed LFI
rating system, the BE proposal, and this
proposed guidance together.
The proposed LFI rating system
would provide a supervisory evaluation
of whether a firm possesses sufficient
financial and operational strength and
resilience to maintain safe and sound
operations through a range of
conditions. Consistent with the LFI
supervision framework, the proposed
1 Presently, the LISCC portfolio consists of eight
domestic bank holding companies, four foreign
banking organizations, and one nonbank financial
company designated by the Financial Stability
Oversight Council (‘‘FSOC’’) for supervision by the
Federal Reserve. The domestic bank holding
companies are: (1) Bank of America Corporation; (2)
Bank of New York Mellon Corporation; (3)
Citigroup Inc.; (4) Goldman Sachs Group, Inc.; (5)
JP Morgan Chase & Co.; (6) Morgan Stanley; (7)
State Street Corporation; and (8) Wells Fargo &
Company. The foreign banking organizations are:
(1) Barclays PLC; (2) Credit Suisse Group AG; (3)
Deutsche Bank AG; and (4) UBS AG. The nonbank
financial company is Prudential Financial, Inc. The
list of firms included in the LISCC supervisory
program is available at https://
www.federalreserve.gov/bankinforeg/largeinstitution-supervision.htm. Hereinafter in this
preamble, these firms may be referred to as ‘‘LISCC
firms.’’
2 See SR letter 12–17/CA letter 12–14,
‘‘Consolidated Supervision Framework for Large
Financial Institutions,’’ (referred to as ‘‘SR letter
12–17’’ in this preamble).
3 The Board previously set forth expectations for
resolution planning for domestic LISCC firms in SR
letter 14–8, ‘‘Consolidated Recovery Planning for
Certain Large Domestic Bank Holding Companies.’’
4 82 FR 39049 (August 17, 2017). The proposed
LFI rating system would apply to all bank holding
companies with total consolidated assets of $50
billion or more; all non-insurance, non-commercial
savings and loan holding companies with total
consolidated assets of $50 billion or more; and U.S.
intermediate holding companies of foreign banking
organizations established pursuant to the Federal
Reserve’s Regulation YY.
5 82 FR 37219 (August 9, 2017).
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
LFI rating system would include
assessments of a firm’s capital, liquidity,
and governance and controls. As
discussed further below, the BE
proposal and this proposal set forth
supervisory expectations relevant to the
assessment of a firm’s governance and
controls.
The governance and controls
component would consist of three
elements: (i) Effectiveness of a firm’s
board of directors, (ii) management of
business lines and independent risk
management and controls, and (iii)
recovery planning (for domestic LISCC
firms only).
To facilitate comment on the
proposed LFI rating system, the
preamble to the proposed LFI rating
system included a summary which
previewed the proposed expectations
included in this proposal. This proposal
is generally consistent with that
summary, with two exceptions. First,
this proposal expands the scope of the
guidance to foreign banking
organizations.6 Second, this proposal
adopts slightly different terminology
than is used in the proposed LFI rating
system to describe expectations for the
management of business lines. However,
the change does not change the
substance of those expectations
described in the proposed LFI rating
system.7 The Board would expect to
apply the terminology used in this
guidance in any final LFI rating system;
however, this change would not impact
the supervisory assessment of a firm’s
management of business lines for
purposes of the governance and controls
component rating.
The BE proposal sets forth attributes
of an effective board of directors. It is
intended to better distinguish the
supervisory expectations for boards
from those of senior management and
encourage boards to focus time and
attention on their core responsibilities.8
The expectations in the BE proposal
would inform the Board’s evaluation of
The proposed LFI rating system
would provide a supervisory evaluation
of whether a firm possesses sufficient
financial and operational strength and
resilience to maintain safe and sound
operations through a range of
conditions. This proposed guidance
builds upon the proposed LFI rating
system framework by providing
additional detail regarding supervisory
expectations for a firm’s management of
business lines and independent risk
management and controls. For firms that
would be subject to the proposed LFI
rating system, these expectations would
help inform the Federal Reserve’s
overall supervisory evaluation, for
purposes of the proposed LFI rating
system, of each firm’s governance and
controls to support the firm’s financial
and operational strength and resilience,
which would be reflected by the
governance and controls component
rating under the proposed LFI rating
system.9
The Federal Reserve would not expect
to examine all of a firm’s business lines
which are subject to this proposed
guidance during a single year. Instead,
consistent with its current supervisory
practice, the Federal Reserve would use
a risk-based approach to determine
which business lines of a firm to
examine or review during the year. In
conducting its supervisory planning for
an upcoming exam cycle, the Federal
Reserve would consider factors related
to the potential for weaknesses in a
firm’s governance and controls.10 Such
factors would include the size and
complexity of the business line, recent
supervisory experience, the relative
growth and maturity of the business
line, and significant changes to strategy,
structure, or management since the last
6 The preamble to the proposed LFI rating system
described the management of business lines and
IRM and controls for domestic LFIs, and noted that
adjustments to extend applicability of the guidance
to the U.S. operations of FBOs may be made prior
to issuing this guidance for public comment. This
preamble highlights those adjustments.
7 See discussion of this change in section VI.B of
this preamble.
8 ‘‘Board’’ or ‘‘board of directors’’ also refers to
committees of the board of directors, as appropriate.
At this time, recovery planning expectations
apply only to domestic bank holding companies in
the LISCC portfolio. See SR letter 14–8,
‘‘Consolidated Recovery Planning for Certain Large
Domestic Bank Holding Companies.’’ Should the
Federal Reserve expand the scope of recovery
planning expectations to encompass additional
firms, this rating will reflect such expectations for
the broader set of firms.
9 The Federal Reserve expects to finalize the
proposed guidance for use in assigning initial
ratings under the LFI rating system beginning in
2018. If the proposed LFI rating system were
finalized before this proposed guidance, the Federal
Reserve would use existing supervisory guidance to
help inform its evaluation of each firm’s governance
and controls for purposes of the proposed LFI rating
system, until such time that this proposed guidance
is finalized.
For firms that would be subject to this proposed
guidance but not subject to the proposed LFI rating
system, this proposed guidance would help inform
the Federal Reserve’s evaluation of the firm’s
overall safety and soundness and the effectiveness
of its risk management practices.
10 For supervisory planning purposes, the Federal
Reserve may reevaluate at any time which areas of
a firm to examine or review, as circumstances
warrant.
PO 00000
Frm 00026
Fmt 4703
Sfmt 4703
the effectiveness of a firm’s board of
directors under the governance and
control component of the proposed LFI
rating system.
III. Implementation
E:\FR\FM\11JAN1.SGM
11JAN1
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
exam cycle. In order to minimize
unnecessary duplication for firms
subject to this guidance, the Federal
Reserve would, to the extent possible,
evaluate a firm’s governance and
controls in coordination with other
relevant Federal and state agencies,
particularly the primary regulators of
the firm’s insured depository institution
subsidiaries.
IV. Objectives of the Proposed
Guidance
The proposed guidance is intended to
consolidate and clarify the Federal
Reserve’s existing supervisory
expectations regarding risk
management.11 In addition, the
proposed guidance is designed to
delineate the roles and responsibilities
for individuals and functions related to
risk management. It would complement
the BE proposal by aligning the
attributes of senior management with
those of an effective board of directors.
For instance, the BE proposal provides
that an effective board of directors sets
the firm’s strategy and risk tolerance,
and this proposal contemplates that the
firm’s senior management implements
the strategy and risk tolerance approved
by the board. In this way, the proposed
guidance would better distinguish the
supervisory expectations for boards
from those of senior management. The
proposal also defines the roles and
responsibilities for various individuals
and functions within an organization
that are accountable for risk
management, including a firm’s senior
management, business line
management, and independent risk
management and audit functions.
Delineating roles and responsibilities for
risk management should enable the
Federal Reserve to provide firms with
more specific and consistent
supervisory feedback.
V. Applicability
The proposed guidance would apply
to domestic bank holding companies
with total consolidated assets of $50
billion or more; savings and loan
holding companies with total
consolidated assets of $50 billion or
srobinson on DSK9F5VC42PROD with NOTICES
11 For
firms subject to this proposed guidance, the
proposed guidance would supersede SR letter 95–
51, ‘‘Rating the Adequacy of Risk Management
Processes and Internal Controls at State Member
Banks and Bank Holding Companies.’’ SR letter 95–
51 was superseded by SR letter 16–11 for state
member banks, bank holding companies, and
savings and loan holding companies (including
insurance and commercial savings and loan holding
companies) with less than $50 billion in total
consolidated assets, and FBOs with consolidated
U.S. assets of less than $50 billion. See SR letter 16–
11, ‘‘Supervisory Guidance for Assessing Risk
Management at Supervised Institutions with Total
Consolidated Assets Less than $50 Billion.’’
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
more; the combined U.S. operations of
foreign banking organizations (‘‘FBOs’’)
with combined U.S. assets of $50 billion
or more; any state member bank
subsidiaries of the foregoing; and
systemically important nonbank
financial companies designated by
FSOC for supervision by the Board.12
For FBOs, the proposed guidance
would apply to an FBO’s combined U.S.
operations, including branch and
subsidiary operations. This scope would
be consistent with certain requirements
of the Board’s Regulation YY, which
requires, among other things, FBOs to
establish a risk management framework
that covers both the U.S. branch and
U.S. non-branch subsidiary operations,
establish a U.S. risk committee to
oversee the risks of the combined U.S.
operations, and employ a chief risk
officer (‘‘CRO’’) based in the United
States.13
Given that an FBO’s combined U.S.
operations are part of a larger global
organization, the proposed guidance
notes that certain elements of an FBO’s
governance framework may be located
outside of the United States. In this
event, the proposed guidance provides
that these elements should enable
effective governance and risk
management by the U.S. senior
management, the U.S. risk committee,
and the intermediate holding company
(‘‘IHC’’) board (as applicable), and
should facilitate U.S. supervisors’
ability to assess the adequacy of
governance and controls in the
combined U.S. operations.
The proposed guidance also applies to
nonbank financial companies
supervised by the Board and insurance
or commercial savings and loan holding
companies with total consolidated
assets of $50 billion or more. The
concepts set forth in the proposed
guidance relate to fundamental risk
management practices that are
applicable to all LFIs.
VI. Description of the Proposed
Guidance
The proposed guidance is organized
in three parts: (1) Core principles of
12 As described in the proposed guidance,
references to ‘‘firm’’ refer to all entities subject to
this guidance, including the combined U.S.
operations of an FBO, unless the context requires
otherwise.
13 12 CFR 252.155. For an FBO, references to CRO
mean the U.S. CRO. Unlike this proposal, the BE
proposal would not apply to the U.S. operations of
a foreign banking organization, due to concerns of
extraterritoriality and differences in organizational
structure and legal requirements in other
jurisdictions. In the preamble to the BE proposal,
the Board stated that it was considering applying
that guidance to the boards of directors of U.S.
intermediate holding companies, and sought
comment on that proposed application.
PO 00000
Frm 00027
Fmt 4703
Sfmt 4703
1353
effective senior management; (2) core
principles of the management of
business lines; and (3) core principles of
IRM and controls.
A. Core Principles of Effective Senior
Management
The proposed guidance sets forth core
principles of effective senior
management. Senior management is
defined as the core group of individuals
directly accountable to the board of
directors for the sound and prudent dayto-day management of the firm. Under
the board’s oversight, a firm’s senior
management is responsible for
managing the day-to-day operations of
the firm and ensuring safety and
soundness and compliance with laws
and regulations, including those related
to consumer protection, and internal
policies and procedures. Two key
responsibilities of senior management
are overseeing the activities of the firm’s
business lines (individually and
collectively) and the firm’s IRM and
system of internal control. In addition to
the general expectations regarding
senior management, the IRM and
controls section of the proposed
guidance sets forth specific expectations
for the CRO and chief audit executive
(‘‘CAE’’), as these individuals have
specific responsibilities related to IRM
and internal audit, respectively.
The proposed guidance tailors the
application of these expectations for an
FBO, given that the combined U.S.
operations are part of a larger global
organization. For instance, the proposed
guidance notes that the risk tolerance
for the combined U.S. operations may
be developed separately for the IHC and
branch operations, respectively, and
notes that the strategy for the combined
U.S. operations may mean the manner
in which the U.S. operations support
the global strategy. The proposal also
notes that for an FBO, ‘‘senior
management’’ can refer to individuals
located inside or outside the United
States who are accountable to the IHC
board, U.S. risk committee, or global
board of directors with respect to the
U.S. operations.14
B. Core Principles of the Management of
Business Lines
The proposed guidance sets forth core
principles of the management of
business lines. Business line
management is defined as the core
14 To facilitate a full understanding by the FBO
of risks presented by the U.S. operations, the
proposed guidance states that senior management
should fully understand U.S.-based risks and
communicate information on those risks to global
management so that U.S.-based risks are included
in the aggregate risk assessment.
E:\FR\FM\11JAN1.SGM
11JAN1
1354
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
srobinson on DSK9F5VC42PROD with NOTICES
group of individuals responsible for the
prudent day-to-day management of the
business line and who report directly to
senior management.15 Business line
management is expected to execute
business line activities consistent with
the firm’s strategy and risk tolerance,
identify and manage risk within the
business line, provide sufficient
resources and infrastructure to the
business line, ensure the business line
has the appropriate system of internal
control, and ensure accountability for
operating within established policies
and guidelines and in accordance with
laws and regulations, including those
related to consumer protection.
For a LISCC firm, due to its size, risk
profile, and systemic importance of
operations, the core principles of the
management of business lines would
apply to all of the firm’s business lines.
For an LFI that is not a LISCC firm, the
core principles of the management of
business lines would apply to any
business line where a significant control
disruption, failure, or loss event could
result in a material loss of revenue,
profit, or franchise value, or result in
significant consumer harm.16 The
proposed guidance uses slightly
different terminology than the proposed
LFI rating system to describe the core
principles of the management of
business lines. The proposed LFI rating
system referred to these principles as
relating to the ‘‘management of core
business lines.’’ For a LISCC firm,
‘‘core’’ business lines were defined to
include all business lines, whereas for
other LFIs, ‘‘core’’ business lines were
defined to include any business line
where a significant control disruption,
failure, or loss event could result in a
15 The proposed guidance defines a business line
as a defined unit or function of a financial
institution, including associated operations and
support that provides related products or services
to meet the firm’s business needs and those of its
customers. This definition would include units
such as Corporate Treasury and IT support. For an
FBO, a business line would include all business
lines that are present in the United States.
16 Any business line of an LFI that is not a LISCC
firm which does not meet this definition (and thus
would not be subject to the core principles of the
management of business lines included in Part II of
the proposed guidance) would be expected to
maintain appropriate risk management practices to
ensure the firm’s safety and soundness. In addition,
the supervisory expectations concerning effective
senior management oversight and IRM and controls
described in Parts I and III of the proposed
guidance, respectively, would apply across the
entire firm. For example, supervisory expectations
regarding senior management’s responsibility for
maintaining and implementing an effective risk
management framework and ensuring that the firm
appropriately manages risk consistent with the
firm’s strategy and risk tolerance extends to its
management of the firm as a whole, and not be
limited to the individual business lines covered by
Part II of the proposed guidance.
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
material loss of revenue, profit, or
franchise value, or result in significant
consumer harm. Although this proposal
uses the term ‘‘management of business
lines,’’ the principles would apply to
the same business lines that were
identified as ‘‘core’’ in the proposed LFI
rating system. The revised terminology
is intended to simplify the guidance.
The proposed guidance does not
include specific expectations regarding
organizational structure at firms and
states that business line management
may also serve as senior management. If
business line management is not part of
senior management, business line
management is responsible for fully
engaging senior management, so that
senior management can effectively carry
out their responsibilities.
For an FBO, the proposed guidance
acknowledges that a business line in the
United States may be part of a larger
global business line and clarifies that
the guidance applies only to that
portion of the business conducted in the
United States. The proposed guidance
notes that business line management
should ensure that business line risks
are comprehensively captured, with
consideration given to risks outside of
the United States that may impact the
FBO’s U.S. operations.17
C. Core Principles of Independent Risk
Management and Controls
The proposed guidance describes core
principles of a firm’s IRM and controls,
which refers to a firm’s independent
risk management function, system of
internal control, and internal audit
function.18 The proposal sets forth
responsibilities of the CRO and CAE, the
members of senior management
responsible for IRM and internal audit,
respectively. As described in the
proposed guidance, both the CRO and
CAE should have clear roles and
responsibilities to establish and
maintain an IRM and internal audit
function, respectively, that are
appropriate for the size, complexity, and
risk profile of the firm.
The proposed guidance describes
expectations for a firm’s IRM, which
17 Conversely, to ensure that risks of the U.S.
operations are appropriately communicated to
global management, business line management
would be expected to provide sufficient information
to global management and escalate issues, as
appropriate, to enable an understanding of U.S.
risk.
18 The proposed guidance defines the term
‘‘internal controls’’ as the policies, procedures,
systems and processes designed to provide
reasonable assurance regarding: The effectiveness
and efficiency of operations; reliability of financial
reporting (including risk reporting); compliance
with laws and regulations (including those related
to consumer protection); and safeguarding of assets
and information.
PO 00000
Frm 00028
Fmt 4703
Sfmt 4703
include evaluating the firm’s risk
tolerance; establishing enterprise-wide
risk limits and monitoring adherence to
those limits; identifying, measuring, and
aggregating risks; providing an
independent assessment of the firm’s
risk profile; and providing risk reports
to the board and senior management.
The proposed guidance builds upon the
framework set forth in Regulation YY,
which requires a firm to have an
independent risk management
function.19
While IRM would be expected to
evaluate the firm’s risk tolerance, the
proposed guidance would not set the
expectation that IRM would have sole
responsibility for the risk tolerance.
Depending on a firm’s organizational
structure, it may be appropriate for
business line management to provide
input into the risk tolerance or drive its
development. The proposed guidance
would assign responsibility for
enterprise-wide risk limits to IRM, but
acknowledge that business line
management may develop its own limits
for internal business line use and may
provide input to the risk limit-setting
process defined by IRM. However, the
internal limits of a business line should
not be less stringent than the limits set
by IRM because the IRM limits should
be the operative, formal, and binding
limits across the firm.
For internal controls, the proposed
guidance expands upon the expectation
for internal controls described in SR
letter 12–17. As described in the
proposed guidance, a firm should
identify its system of internal control
and demonstrate that that system is
commensurate with the firm’s size,
scope of operations, activities, risk
profile, strategy, and risk tolerance;
demonstrate that it is consistent with all
applicable laws and regulations;
regularly evaluate and test the
effectiveness of internal controls; and
monitor the functioning of controls so
that deficiencies are identified and
communicated in a timely manner. The
proposed guidance provides that
developing and maintaining effective
internal controls is the responsibility of
several parties, including business line
management.
The strength of a firm’s internal audit
practices are an important consideration
in the Federal Reserve’s supervisory
assessment of the effectiveness of the
firm’s governance and controls. This
proposed guidance would not expand
upon the Federal Reserve’s expectations
19 12
CFR 252.33, 252.155. See also SR letter 12–
17.
E:\FR\FM\11JAN1.SGM
11JAN1
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
for internal audit; instead the proposed
guidance references existing guidance.20
VII. Request for Comments
srobinson on DSK9F5VC42PROD with NOTICES
The Board invites comments on all
aspects of the proposed guidance,
including responses to the following
questions:
(1) What considerations beyond those
outlined in this proposal should be
considered in the Federal Reserve’s
assessment of whether an LFI has sound
governance and controls such that the
firm has sufficient financial and
operational strength and resilience to
maintain safe and sound operations?
(2) How could the roles and
responsibilities between the board of
directors set forth in the proposed board
effectiveness guidance, and between the
senior management, business line
management, and IRM be clarified?
(3) What, if any, aspects of the
structure and coverage of IRM and
controls should be addressed more
specifically by the guidance?
(4) The proposal tailors expectations
for FBOs, recognizing that the U.S.
operations are part of a larger
organization. How could this tailoring
be improved?
(5) In what ways, if any, does the
guidance diverge from industry
practice? How could the guidance better
reflect industry practice while
facilitating effective risk management
and controls? Are there any existing
standards for internal control
frameworks to which the guidance
should follow more closely?
(6) Other supervisory
communications have used the term
‘‘risk appetite’’ instead of risk tolerance.
Are the terms ‘‘risk appetite’’ and ‘‘risk
tolerance’’ used interchangeably within
the industry, and what confusion, if
any, is created by the terminology used
in this guidance?
(7) The proposal would adopt
different terminology than is used in the
proposed LFI rating system, and the
Board expects to align the terminology
so the element in the governance and
controls component would change from
‘‘management of core business lines’’ to
‘‘management of business lines.’’ Does
this proposal clearly explain this
expected change? Do commenters
anticipate any impact from this change?
20 The Federal Reserve issued guidance outlining
the key components of an effective internal audit
function in SR letter 03–5, ‘‘Amended Interagency
Guidance on the Internal Audit Function and its
Outsourcing,’’ and followed that with supplemental
guidance in SR letter 13–1/CA letter 13–1,
‘‘Supplemental Policy Statement on the Internal
Audit Function and Its Outsourcing.’’
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
Paperwork Reduction Act
In accordance with the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501–
3521) (‘‘PRA’’), the Board may not
conduct or sponsor, and a respondent is
not required to respond to, an
information collection unless it displays
a currently valid Office of Management
and Budget (‘‘OMB’’) control number.
The Board reviewed the proposed
supervisory guidance under the
authority delegated to the Board by
OMB.
The proposed supervisory guidance
contains a collection of information
subject to the PRA. Recordkeeping
requirements are found in the proposed
guidance. Among expectations for
business line management, the proposed
guidance states that business line
management should establish specific
business and risk objectives for business
lines, and establish policies and
guidelines that delineate accountability
within the business line. In addition,
the proposed guidance sets expectations
for a firm’s IRM function, including
related to the scope of a firm’s risk
limits and an expectation for written
risk assessment that would be provided
to the senior management and, as
appropriate, the board. The proposed
guidance also sets expectations for
internal audit, including an expectation
for an internal audit risk assessment and
audit reports.
Comments are invited on:
a. Whether the collections of
information are necessary for the proper
performance of the Board’s functions,
including whether the information has
practical utility;
b. The accuracy or the estimate of the
burden of the information collections,
including the validity of the
methodology and assumptions used;
c. Ways to enhance the quality,
utility, and clarity of the information to
be collected;
d. Ways to minimize the burden of the
information collections on respondents,
including through the use of automated
collection techniques or other forms of
information technology; and
e. Estimates of capital or startup costs
and costs of operation, maintenance,
and purchase of services to provide
information.
All comments will become a matter of
public record. Comments on aspects of
this notice that may affect reporting,
recordkeeping, or disclosure
requirements and burden estimates
should be sent to: Secretary, Board of
Governors of the Federal Reserve
System, 20th and C Streets NW,
Washington, DC 20551. A copy of the
comments may also be submitted to the
PO 00000
Frm 00029
Fmt 4703
Sfmt 4703
1355
OMB desk officer by mail to U.S. Office
of Management and Budget, 725 17th
Street NW, #10235, Washington, DC
20503; facsimile to (202) 395–6974; or
email to oira_submission@omb.eop.gov,
Attention, Federal Banking Agency Desk
Officer.
Proposed Information Collection
Report title: Governance and Controls
Guidance.
Agency form number: FR 4204.
OMB control number: 7100–NEW.
Frequency: Annual.
Respondents: Domestic bank and
savings and loan holding companies
with total consolidated assets of $50
billion or more, systemically important
nonbank financial companies
designated by FSOC for supervision by
the Board, the U.S. operations of FBOs
with combined U.S. assets of $50 billion
or more, and state member bank
subsidiaries of the foregoing.
Legal authorization and
confidentiality: This information
collection is voluntary. The Board has
determined that the collection of
information is authorized by section 5(c)
of the Bank Holding Company Act (12
U.S.C. 1844(c)), section 10(b) of the
Homeowners’ Loan Act (12 U.S.C.
1467a(b)(4), section 113 of the DoddFrank Act (12 U.S.C. 5323). The
information contained would be
considered confidential pursuant to
exemption 8 of the Freedom of
Information Act (5 U.S.C. 552(b)(8)).
Estimated number of respondents: 56.
Estimated average hours per response:
3,872 hours initial setup, 560 hours for
ongoing.
Estimated annual burden hours:
216,832 hours initial setup, 31,360
hours for ongoing.
Regulatory Flexibility Analysis
The Federal Reserve is providing an
initial regulatory flexibility analysis
with respect to this proposal. While the
proposed guidance is not being adopted
as a rule, the Federal Reserve has
considered the potential impact of the
proposal on small banking organizations
using considerations that would apply if
the Regulatory Flexibility Act, 5 U.S.C.
601 et seq. (‘‘RFA’’) were applicable.
Based on the Board’s analysis and for
the reasons stated below, the Board
believes that the proposed guidance will
not have a significant economic impact
on a substantial number of small
entities.
Under regulations issued by the Small
Business Administration, a small entity
includes a depository institution, bank
holding company, or savings and loan
holding company with assets of $550
million or less (‘‘small banking
E:\FR\FM\11JAN1.SGM
11JAN1
1356
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
organizations’’). As of June 1, 2017,
there were approximately 3,539 small
banking organizations. As described
above, the proposed guidance would
apply only to all bank holding
companies with total consolidated
assets of $50 billion or more; state
member banks of such bank holding
companies; all savings and loan holding
companies with total consolidated
assets of $50 billion or more;
systemically important nonbank
financial companies designated by
FSOC for supervision by the Federal
Reserve; and the U.S. operations of
FBOs with combined U.S. assets of $50
billion or more. Small banking
organizations would therefore not be
subject to the proposed guidance. As a
result, the proposed guidance should
have any impact on small banking
organizations. In light of the foregoing,
the Board believes that the proposed
guidance will not have a significant
economic impact on small banking
organizations supervised by the Board.
Text for the Proposed Supervisory
Guidance on Management of Business
Lines and Independent Risk
Management and Controls for Large
Financial Institutions
Introduction
srobinson on DSK9F5VC42PROD with NOTICES
Governance and controls involves (i)
the oversight of a firm by its board of
directors, (ii) management of business
lines and independent risk management
(IRM) and controls, and (iii) for
domestic Large Institution Supervision
Coordinating Committee (LISCC) firms
only, recovery planning. This guidance
sets forth the second part of the Federal
Reserve’s expectations for large
financial institutions (LFIs or firms)—
core principles of the management of
business lines and IRM and controls.
This guidance also builds upon
supervisory guidance previously issued
by the Federal Reserve.21
Guidance related to the first part of
governance and controls, the oversight
of a firm by its board of directors (BE
Guidance), was released earlier.22 It
21 See SR letter 12–17/CA letter 12–14,
‘‘Consolidated Supervision Framework for Large
Financial Institutions.’’ Other laws and regulations
set forth requirements for corporate governance and
risk management, including the risk and liquidity
risk management requirements in Regulation YY
(12 CFR part 252).
22 See 82 FR 37219 (August 9, 2017) for the
proposed Supervisory Guidance on Board of
Directors’ Effectiveness for Domestic Bank and
Savings and Loan Holding Companies With Total
Consolidated Assets of $50 Billion or More
(Excluding Intermediate Holding Companies of
Foreign Banking Organizations Established
Pursuant to the Federal Reserve’s Regulation YY),
and Systemically Important Nonbank Financial
Companies Designated by the Financial Stability
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
describes attributes of an effective board
of directors and distinguishes a board’s
responsibilities from those of a firm’s
senior management.
Like the BE Guidance, the supervisory
expectations described in this guidance
regarding the management of business
lines and IRM and controls would help
inform the Federal Reserve’s overall
supervisory evaluation of a firm’s
governance and controls to support the
firm’s financial and operational strength
and resilience. Among other factors, this
evaluation would be an input to the
governance and controls component
rating under the proposed LFI rating
system.23
the combined U.S. operations of an
FBO, unless the context requires
otherwise. Given that an FBO’s
combined U.S. operations are part of a
larger global organization, the Federal
Reserve anticipates that certain
elements of an FBO’s governance
framework may be located outside of the
United States. In this event, these
elements should enable effective
governance and risk management by the
U.S. senior management, the U.S. risk
committee, and the IHC board (as
applicable), and should facilitate U.S.
supervisors’ ability to assess the
adequacy of governance and controls in
the combined U.S. operations.
I. Applicability
The guidance applies to domestic
bank holding companies (BHCs) and
domestic savings and loan holding
companies with total consolidated
assets of $50 billion or more, the
combined U.S. operations of foreign
banking organizations (FBOs) with
combined U.S. assets of $50 billion or
more, and any state member bank
subsidiaries of the foregoing. The
guidance also applies to systemically
important nonbank financial companies
designated by the Financial Stability
Oversight Council (FSOC) for
supervision by the Board.
Core Principles of Effective Senior
Management, Management of Business
Lines, and Independent Risk
Management (IRM) and Controls
Application to Foreign Banking
Organizations
Regulation YY requires FBOs with
combined U.S. assets of $50 billion or
more to maintain a U.S. risk committee
to oversee the risk management
framework of the combined U.S.
operations.24 Regulation YY also
requires FBOs with U.S. non-branch
assets of $50 billion or more to establish
an intermediate holding company (IHC),
which is governed by a board of
directors or managers with equivalent
rights, powers, privileges, duties, and
responsibilities to those of a board of
directors of a domestic corporation.25
The Federal Reserve’s expectations for
governance of the combined U.S.
operations of an FBO are generally
consistent with its expectations for
governance of large domestic firms and,
in this guidance, a reference to ‘‘firm’’
should be taken also as a reference to
Oversight Council for Supervision by the Federal
Reserve.
23 See 82 FR 39049 (August 17, 2017) for the
proposed large financial institutions rating system
(LFI rating system). For firms that would be subject
to this guidance but not subject to the proposed LFI
rating system, this guidance would help inform the
Federal Reserve’s evaluation of the firm’s overall
safety and soundness and the effectiveness of its
risk management practices.
24 12 CFR 252.155(a).
25 12 CFR 252.153(a)(2)(ii).
PO 00000
Frm 00030
Fmt 4703
Sfmt 4703
This guidance sets forth core
principles of effective senior
management, the management of a
firm’s business lines 26 and IRM and
controls.27
I. Core Principles of Effective Senior
Management
Principle: Senior management is
responsible for managing the day-today operations of the firm and
ensuring safety and soundness and
compliance with internal policies and
procedures, laws, and regulations,
including those related to consumer
protection.
Under the board’s oversight, a firm’s
senior management is responsible for
managing the day-to-day operations of
the firm, and for ensuring safety and
soundness and compliance with
internal policies and procedures, laws,
and regulations, including those related
to consumer protection.28 Two key
26 For a LISCC firm, due to its size, risk profile,
and systemic importance, the guidance would
apply to all of the firm’s business lines. For an LFI
that is not a LISCC firm, the expectations for
management of business lines would apply only to
business lines where a significant control
disruption, failure, or loss event would result in a
material loss of revenue, profit, or franchise value,
or result in significant consumer harm. Other
business lines of these firms which do not meet that
definition would be expected to maintain
appropriate risk management practices to ensure
the firm’s safety and soundness. The expectations
included in this guidance relating to effective senior
management oversight and IRM and controls would
apply across the entire firm, and are not limited to
the individual business lines that are subject to the
expectations concerning the management of
business lines.
27 IRM and controls refers to a firm’s independent
risk management function, system of internal
control, and internal audit function.
28 The term ‘‘senior management’’ refers to the
core group of individuals directly accountable to
the board of directors for the sound and prudent
day-to-day management of the firm. For an FBO,
E:\FR\FM\11JAN1.SGM
11JAN1
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
srobinson on DSK9F5VC42PROD with NOTICES
responsibilities of senior management
are overseeing the activities of the firm’s
business lines (individually and
collectively) and the firm’s IRM and
controls.
Senior management is responsible for
implementing the firm’s strategy and
risk tolerance approved by the board.29
Senior management should implement
the strategic and risk objectives across
the firm to support the firm’s long-term
resiliency and safety and soundness,
including the firm’s ability to withstand
the impact of a range of stressed
conditions.30 Senior management
should ensure the firm’s infrastructure,
staffing, and resources are sufficient to
carry out the firm’s strategy and manage
the firm’s activities in a safe and sound
manner, and in compliance with
applicable laws and regulations,
including those related to consumer
protection, as well as policies,
procedures, and limits. Senior
management should also identify when
there is a risk that the firm’s activities
collectively may deviate from the firm’s
strategy and risk tolerance and escalate
such instances to the board of directors.
Senior management is responsible for
maintaining and implementing an
effective risk management framework
and ensuring the firm appropriately
manages risk consistent with its strategy
and risk tolerance.31 This includes
‘‘senior management’’ can refer to individuals
located inside or outside the United States who are
accountable to the IHC board, U.S. risk committee,
or global board of directors with respect to the U.S.
operations.
‘‘Board’’ or ‘‘board of directors’’ also refers to
committees of the board of directors, as appropriate.
29 See 82 FR 37219 (August 9, 2017). ‘‘Risk
tolerance’’ is defined as the aggregate level and
types of risk the board and senior management are
willing to assume to achieve the firm’s strategic
business objectives, consistent with applicable
capital, liquidity, and other requirements and
constraints.
For an FBO, the U.S. risk committee should
approve the risk tolerance for the combined U.S.
operations (which may be developed separately for
the IHC and branch operations, respectively). The
strategy for the combined U.S. operations may mean
the manner in which the U.S. operations support
the global strategy.
30 Risk objectives are the level and type of risks
a business line plans to assume in its activities
relative to the level and type specified in the
firmwide risk tolerance. For example, a residential
mortgage business unit should specify the level and
type of credit risk, interest-rate risk, or other risks
it plans to assume in its activities relative to the
level and type specified in the risk tolerance.
31 For FBOs, regardless of whether a firm’s senior
management resides in the United States, senior
management should fully understand the risks of
U.S operations and communicate information on
the risks of combined U.S. operations to global
management so that these risks are included in the
aggregate risk assessment of the global organization.
Further, senior management with authority over
budgeting or strategy for the combined U.S.
operations should allocate appropriate resources
and expertise to meet the expectations of this
guidance.
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
establishing clear responsibilities and
accountability for the identification,
measurement, management, and control
of risk. Senior management is
responsible for promoting and enforcing
prudent risk-taking behaviors and
business practices, including through
the firm’s compensation and
performance management programs.
Senior management is responsible for
developing and maintaining the firm’s
policies and procedures and system of
internal control, commensurate with the
firm’s size, scope of operations,
activities, and risk profile, to ensure
compliance with laws and regulations,
including those related to consumer
protection, and consistency with
supervisory expectations.32 Senior
management should also periodically
assess the risk management framework
as a whole to ensure that the framework
remains comprehensive and appropriate
and has kept pace with changes in the
business line’s products, services, and
activities as well as changes in
economic conditions and the broader
market environment.
Senior management should ensure
effective communication and
information sharing across the entire
firm. Senior management should also
address any impediments to the
effective flow of information, including
those that could result in decisions
being made or actions being taken in
isolation.
In overseeing the firm’s day-to-day
operations, senior management should
base its decisions and actions, as well as
its communications with the board, on
a full understanding of the firm’s risks
and activities. Therefore, senior
management should have in place
robust mechanisms for:
• Keeping apprised of drivers and
trends related to current and emerging
risks, material limit breaches, and other
material issues;
• Maintaining and assessing the
firm’s system of internal control;
• Staying informed about material
deficiencies and limitations in risk
management and control practices, and
ensuring that such deficiencies are
remediated in a timely fashion;
• Assessing the potential impact of
the firm’s activities and risk positions
on the firm’s capital,33 liquidity, and
overall risk profile;
32 The term ‘‘internal controls’’ refers to the
policies, procedures, systems and processes
designed to provide reasonable assurance regarding:
The effectiveness and efficiency of operations;
reliability of financial reporting (including risk
reporting); compliance with laws and regulations
(including those related to consumer protection);
and safeguarding of assets and information.
33 References to ‘‘capital’’ in this section are not
applicable to branches or agencies of an FBO.
PO 00000
Frm 00031
Fmt 4703
Sfmt 4703
1357
• Assessing the firm’s financial and
nonfinancial performance relative to the
firm’s strategy and risk objectives;
• Maintaining robust management
information systems to support
oversight of the firm’s activities and risk
positions, and to provide information to
the board; and
• Maintaining current succession and
contingency staffing plans for key
positions.
Senior management is responsible for
providing timely, useful, and accurate
information to the board. Senior
management should also be responsive
to direction from the board and to the
board’s informational needs. Further,
senior management is responsible for
ensuring resolution of risk management
issues (including those identified by the
firm and outstanding supervisory
matters), escalating issues to the board,
and communicating issues internally
when appropriate. Senior management
should regularly report to the board on
responses to, and remediation of,
material audit and supervisory findings,
risk management and control
deficiencies, material compliance issues
(including those related to consumer
protection), and the outcomes of risk
reviews which may result in remedial
actions.
II. Core Principles of the Management
of Business Lines
This section sets forth core principles
of the management of business lines,
including critical operations.34 As used
in this guidance, business line
management refers to the core group of
individuals responsible for prudent dayto-day management of a business line
and accountable to senior management
for that responsibility.35
For a LISCC firm, due to its size, risk
profile, and systemic importance, these
principles apply to all of the firm’s
business lines. For an LFI that is not a
LISCC firm, these principles apply to
34 A business line is a defined unit or function of
a financial institution, including associated
operations and support that provides related
products or services to meet the firm’s business
needs and those of its customers. Under certain
organizational structures, a business line may cross
legal entities or geographic jurisdictions.
‘‘Critical operations’’ are those operations,
including associated services, functions and
support, the failure or discontinuance of which, in
the view of the firm or the Federal Reserve, would
pose a threat to the financial stability of the United
States. All of the expectations for the management
of business lines apply to critical operations.
35 Depending on a firm’s organizational structure,
business line management may or may not be
members of senior management. If management of
a business line is not a member of senior
management, business line management is
responsible for fully engaging senior management,
so that senior management can effectively carry out
its responsibilities.
E:\FR\FM\11JAN1.SGM
11JAN1
1358
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
any business line in which a significant
control disruption, failure, or loss event
could result in a material loss of
revenue, profit, or franchise value, or
result in significant consumer harm.
A business line may cross legal
entities or geographic jurisdictions. In
instances where a business line of an
FBO is part of a larger business
conducted outside of the United States,
expectations apply only to the portion
of that business conducted in the United
States.36
This section is organized as follows:
A. Implementation and Execution of
Strategy and Risk Tolerance
B. Risk Identification and Risk
Management
C. Resources and Infrastructure
D. Business Controls
E. Accountability
A. Implementation and Execution of
Strategy and Risk Tolerance
Principle: Business line management
should execute business line activities
consistent with the firm’s strategy and
risk tolerance.
Business line management should
establish specific business and risk
objectives for each business line that
align with the firmwide strategy and
risk tolerance. Business line
management should inform senior
management when the business line’s
risk management capabilities are
insufficient to achieve those business
and risk objectives. In addition, during
the strategic planning process with
senior management, business line
management should clearly present the
risks emanating from the business line’s
activities. Business line management
should explain how those risks are
managed and align with the firm’s risk
tolerance.
Business line management should
provide information to senior
management regarding the business
line’s current and potential risk profile
and its alignment with the firm’s risk
tolerance. Information reported should
enable senior management to make
critical decisions about the business
line’s strategic direction and risks.
srobinson on DSK9F5VC42PROD with NOTICES
B. Risk Identification and Risk
Management
Principle: Business line management
should identify, measure, and manage
36 Business line management of the U.S.
operations should ensure that business line risks
are captured comprehensively with consideration
given to risks outside the United States that may
impact the FBO’s combined U.S. operations.
Moreover, business line management should
provide sufficient information to global
management and escalate issues, as appropriate, to
enable an understanding of the risks from the
combined U.S. operations.
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
the risks associated with the business
activities under a broad range of
conditions, incorporating input from
IRM.37
Business line management should
identify, measure, and manage current
and emerging risks that stem from the
business line’s activities and changes to
external conditions.38 Where it is
difficult to assess risks quantitatively,
business line management should still
assess the impact of those risks, such as
through qualitative means. These risks
should include significant exposures
and activities, both on-balance and offbalance sheet, and any other potential
sources of risk related to the business
line’s activities. Business line
management should incorporate
appropriate feedback from IRM on
business line risk positions,
implementation of the risk tolerance,
and risk management practices,
including risk mitigation.
In measuring risks, business line
management should consider the size
and risk characteristics of the business
line’s exposures and business activities.
Business line management should
aggregate risks, including by business
activities or products. For instance,
management of a large commercial
lending business line should
understand risks affecting the business
line as a whole, and also within
segments of the business line, such as
large corporate exposures, commercial
real estate loans, and small business
lending.
The activities of a business line
should remain within risk limits
established by IRM.39 Business line
management should consult with senior
management before allowing any
exceptions to risk limits.40 This
consultation should culminate in a wellsupported decision by management to
37 As noted in the Independent Risk Management
and Controls section below, IRM is responsible for
conducting a separate, objective, critical assessment
of risks and risk-taking across the entire firm,
separate from the business line’s risk management
activities.
38 Emerging risks include those that have yet to
create a material impact or would only arise during
stressful or unlikely circumstances. The risk
assessment should include all relevant risks, both
financial and non-financial, including compliance
risk.
39 Business line management may develop its
own limits for internal business line use and may
provide input to the risk limit-setting process
defined by IRM. However, the internal limits of a
business line should not be less stringent than the
limits set by IRM because the limits set by IRM
should be the operative, formal, and binding across
the firm.
40 Business line management should evaluate
breaches of risk limits to determine whether a
breach represents a weakness in the monitoring or
limits framework for the business lines, and take
appropriate remedial action.
PO 00000
Frm 00032
Fmt 4703
Sfmt 4703
accept the risk or reduce its risk
exposure. Business line management
should subject any exceptions to risk
limits to the firm’s formal approval
process. A business line may need to
employ risk mitigation strategies to
remain aligned with the firmwide
strategy and risk tolerance.
A firm should have policies and
procedures for vetting new business
products and initiatives. Risks from new
businesses should be identified and
captured in risk management
governance, infrastructure, compliance,
and processes before commencing the
new business. Business line
management should escalate to senior
management any required changes or
modifications to risk management
systems or internal control policies and
procedures arising from the adoption of
a new business or initiative.
Additionally, growth in the new
business should be consistent with the
firm’s risk management capabilities.
C. Resources and Infrastructure
Principle: Business line management
should provide a business line with
the resources and infrastructure
sufficient to manage the business
line’s activities in a safe and sound
manner, and in compliance with
applicable laws and regulations,
including those related to consumer
protection, as well as policies,
procedures, and limits.
Business line management should
provide a business line with sufficient
resources and infrastructure to meet
strategic objectives while maintaining
financial and operational strength and
resilience over a range of operating
conditions, including stressful ones.41
Sufficient resources and infrastructure
include personnel with appropriate
training and expertise and management
information systems. Business line
management should inform senior
management if the business line’s
resources and infrastructure are
insufficient to meet its business
objectives.
Business line management should
ensure that the business line’s
41 ‘‘Financial strength and resilience’’ is defined
as maintaining effective capital and liquidity
governance and planning processes, and sufficiency
of related positions, to provide for continuity of the
consolidated organization and its core business
lines, critical operations, and banking offices
through a range of conditions.
‘‘Operational strength and resilience’’ is defined
as maintaining effective governance and controls to
provide for continuity of the consolidated
organization and its core business lines, critical
operations, and banking offices, and promote
compliance with laws and regulations, including
those related to consumer protection, through a
range of conditions.
E:\FR\FM\11JAN1.SGM
11JAN1
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
infrastructure is sound and appropriate
for the intended specific business
activities and that management
information systems are sufficiently
flexible to produce ad hoc and more
frequent reporting when necessary.
Business line management should
address any gaps or weaknesses
identified in the existing infrastructure
and escalate to senior management if
appropriate.
Business line management should
ensure that the business line has:
• Clearly defined staff roles and
responsibilities for key positions, as
well as management reporting lines;
• Appropriate separation of duties
and internal controls for effectively
managing risk associated with its
business strategy;
• Staff with skills and experience
commensurate with the business line’s
activities and risks; and
• Succession and contingency plans
for key positions.
Business line management should
provide training and development to its
staff to ensure sufficient knowledge of
business line activities; compliance,
operations and risk management
processes; controls; and business
continuity. Business line management
should reinforce balanced risk-taking
and provide incentives for appropriate
behaviors through talent management
processes, compensation arrangements,
and other performance management
processes.
D. Business Controls
srobinson on DSK9F5VC42PROD with NOTICES
Principle: Business line management
should ensure that the internal
control system is effective for the
business line operations.
Business line management should
develop and maintain an effective
system of internal control for its
business line that helps to ensure
compliance with laws and regulations,
including those related to consumer
protection, and supports effective risk
management.42 For example, a business
line’s system of internal control should
include access controls, change
controls, and data integrity controls,
including data reconciliations, variance
analysis, and data quality logic checks.
The system of internal control for a
business line should be commensurate
with the business line’s size, scope of
operations, activities, and risk profile. A
comprehensive system of internal
control includes policies, procedures,
42 In developing and maintaining its system of
internal control, a business line may use the
internal controls that are in place across the firm.
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
systems, and processes specific to the
business line.
Business line management should
regularly test to ensure the controls
within its business line are functioning
as expected and are effective in
managing risks. More frequent testing is
appropriate for key controls, or controls
that have undergone a material change.
Business line management should
ensure that deficiencies in control
design and operating effectiveness are
remediated. Business line management
should provide periodic reports on the
operation of controls to senior
management and escalate to senior
management material internal control
deficiencies and any systematic control
violations. Finally, business line
management should reassess all key
controls periodically to ensure
relevancy and alignment with current
approved policies.
E. Accountability
Principle: Business line management
and staff are accountable for
operating within established policies
and guidelines, and acting in
accordance with applicable laws,
regulations, and supervisory
guidance, including those related to
consumer protection.
Business line management should
establish policies and guidelines that
specify accountability, set forth clear
lines of management authority within
the business line, and clearly align
desired behavior with the firm’s
performance management incentives.
Business line management should hold
their staff accountable to the extent
behavior that is inconsistent with the
board and senior management directives
and inform senior management as
appropriate. Business line management
should ensure that training for new and
existing employees explicitly addresses
and emphasizes the importance of
professional conduct and compliance
with laws and regulations, including
those related to consumer protection.
Business line management should
have ongoing and effective means to
prevent, detect, and remediate risk
management and compliance failures of
business line policies and procedures,
as well as policies and limits
established by the firm’s senior
management. Business line management
should develop processes with
indicators and early warning
mechanisms to facilitate timely
detection of existent and potential
issues. Business line management
should actively supervise employees in
light of the firm’s policies and
guidelines.
PO 00000
Frm 00033
Fmt 4703
Sfmt 4703
1359
III. Core Principles of Independent Risk
Management and Controls
There are three key areas covered in
this section: (1) IRM, which provides an
objective, critical assessment of risks
and evaluates whether a firm remains
aligned with its stated risk tolerance; (2)
a system of internal control to guide
practices, provide appropriate checks
and balances, and confirm quality of
operations; and (3) internal audit, which
provides independent assessments of
the effectiveness of the risk management
framework and the system of internal
control.
This section is organized as follows:
A. Governance, Independence, and
Stature
1. Chief Risk Officer (CRO)
2. Chief Audit Executive (CAE)
B. Independent Risk Management
1. Risk Tolerance and Limits
2. Risk Identification, Measurement,
and Assessment
3. Risk Reporting
C. Internal Controls
D. Internal Audit
Except for the roles of the CRO and
the CAE, this guidance does not purport
to prescribe in detail the governance
structure for a firm’s IRM and controls.
Senior management should establish
and maintain clear lines of
responsibility and accountability so that
activities are conducted in a manner
that satisfies supervisory expectations.
Supervisory expectations related to
independent risk management apply to
the U.S. CRO and the U.S. risk
committee of an FBO for the combined
U.S. operations in the same manner as
these expectations apply to the CRO and
risk committee of a domestic holding
company. For an FBO, the internal audit
function for the combined U.S.
operations should have appropriate
independent oversight of those.
A. Governance, Independence, and
Stature 43
1. Chief Risk Officer
Principle: The CRO should establish
and maintain IRM that is appropriate
for the size, complexity, and risk
profile of the firm.
The Board’s Regulation YY requires
certain firms to have a CRO with
sufficient capability and experience in
identifying, assessing, and managing
risk exposures of large, complex
43 ‘‘Stature’’ refers to the ability and authority to
influence decisions and effect change throughout
the organization, procure resources necessary to
carry out responsibilities, escalate issues as needed
to senior management and the board, and observe
or participate on relevant management committees.
E:\FR\FM\11JAN1.SGM
11JAN1
1360
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
srobinson on DSK9F5VC42PROD with NOTICES
financial institutions.44 To promote the
stature and independence of IRM, the
CRO must report directly to the board’s
risk committee as well as to the CEO.45
The CRO also must provide reports to
the board’s risk committee at least
quarterly.46
As part of overseeing IRM, the CRO
should guide IRM to establish and
monitor compliance with enterprisewide risk limits, identify and aggregate
the firm’s risks, assess the firm’s risk
positions relative to the parameters of
the firm’s risk tolerance, and provide
relevant risk information to senior
management and the board. The CRO
should also oversee communication of
the firm’s risk limits to the board and
relevant firm management and staff.
The CRO should inform the board if
his or her stature, independence, or
authority is not sufficient to provide
objective and independent assessments
of the firm’s risks, risk management
activities, and system of internal
control.47 Further, the CRO should be
included in discussions with other
senior management and the board
related to key decisions such as strategic
planning and capital and liquidity
planning. The CRO should also provide
input to the board on incentive
compensation plan design and
effectiveness.
The CRO should escalate issues to
senior management and the board when
activities or practices at the firmwide,
risk-specific, and business-line level do
not align with the firm’s overall risk
tolerance. For example, the CRO should
report concerns to the board’s risk
committee if the firm does not have
sufficient risk management capacity to
enter into a proposed merger or new
product line and promote the taking of
appropriate actions, as warranted. The
CRO should recommend constraints on
risk-taking and enhancements to risk
management practices to senior
management and the board. The CRO or
IRM should be involved in any proposal
to waive or make exceptions to
established risk limits, including on a
44 12 CFR 252.33(b); 12 CFR 252.155(b). For an
FBO, references to CRO and risk committee mean
the U.S. CRO and U.S. risk committee required
under 12 CFR 252.155.
45 12 CFR 252.33(b)(3)(ii). For an FBO, the U.S.
CRO must report to the U.S. risk committee and the
global CRO or equivalent management official(s)
who is responsible for overseeing the
implementation of and compliance with policies
and procedures relating to risk management
governance, practices, and risk controls of the FBO
(unless the Federal Reserve approves an alternate
reporting structure). 12 CFR 252.155(b)(3).
46 12 CFR 252.33(a)(3)(v). This requirement does
not apply to the U.S. CRO of an FBO.
47 Other officers of the firm may oversee portions
of functions involved in risk management and
control activities.
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
temporary basis, should provide an
assessment of any such proposal, and
should escalate the proposal to the
board of directors as appropriate. The
necessary level of approval within IRM
and escalation should be clearly
articulated in policies and procedures
and commensurate with the nature of
the risk limit.
The CRO should support the
independence of IRM from the business
lines by establishing clearly defined
roles and responsibilities, and reporting
lines. The CRO should periodically
assess whether IRM has appropriate
staffing and systems; sufficient
understanding of the risks and business
activities being evaluated; and sufficient
authority to identify and escalate
material or persistent risk management
and control deficiencies and to
challenge senior management and
business line management when
warranted.
2. Chief Audit Executive
Principle: The CAE should have clear
roles and responsibilities to establish
and maintain an internal audit
function that is appropriate for the
size, complexity and risk profile of the
firm.
A firm should have a CAE, appointed
by the board, with sufficient capability,
experience, independence and stature to
manage the internal audit function’s
responsibilities appropriate to the size
and complexity of the firm.48 The CAE
should effectively manage all aspects of
internal audit work on an ongoing basis,
including any internal audit work that
is outsourced. The CAE should have the
authority to oversee all internal audit
activities and to hire internal audit staff
with sufficient capability and stature.
Under the direction of the CAE, the
internal audit function performs
independent assessments of the
effectiveness of the firm’s system of
internal control and the risk
management framework. The CAE
should report findings, issues, and
concerns to the board’s audit committee
and senior management.
B. Independent Risk Management 49
1. Risk Tolerance and Limits
Principle: IRM should evaluate whether
the firm’s risk tolerance appropriately
48 See
SR letter 13–1/CA letter 13–1,
‘‘Supplemental Policy Statement on the Internal
Audit Function and Its Outsourcing.’’
49 Independent risk management is comprised of
a range of risk management functions. For example,
firms should have an independent compliance risk
management function that establishes a firmwide
compliance risk management program and
delineates responsibilities for managing compliance
risk. See SR letter 08–08/CA letter 08–11,
PO 00000
Frm 00034
Fmt 4703
Sfmt 4703
captures the firm’s material risks and
confirm that the risk tolerance is
consistent with the capacity of the
risk management framework.
IRM should provide input into and
evaluate the firm’s risk tolerance to
ensure that it appropriately captures the
firm’s material risks and aligns with the
firm’s strategy and the corresponding
business activities.50 In addition, IRM
should evaluate whether the risk
tolerance:
• Addresses risks under normal and
stressed conditions and considers
changes in the risk environment;
• Includes risks associated with the
firm’s revenue generating activities, as
well as other aspects of risks inherent to
the business, such as compliance,
information technology, and
cybersecurity;
• Incorporates realistic risk and
reward assumptions that, for example,
do not overestimate expected returns
from business activities or
underestimate risks associated with
business activities; and
• Guides the firm’s risk-taking and
risk mitigation activities.
IRM should determine whether the
firm’s risk profile is consistent with the
firm’s risk tolerance and assess whether
the firm’s risk management framework
has the capacity to manage the risks
outlined in the risk tolerance.
Specifically, IRM should determine
whether there are sufficient resources
and infrastructure in the relevant areas
of the firm to properly identify, manage,
and report the risks associated with the
business strategies outlined in the risk
tolerance, including during stressful or
unanticipated conditions.
Principle: IRM should establish
enterprise-wide risk limits consistent
with the firm’s risk tolerance and
monitor adherence to such limits.
Under direction of the CRO, IRM
should establish enterprise-wide risk
limits that are consistent with the firm’s
risk tolerance for the firm’s full set of
risks, including risks associated with
revenue generating activities and those
inherent to the business. Risk limits
should be assigned to specific risk
types, business lines, legal entities,
jurisdictions, geographic areas,
concentrations, products or activities,
‘‘Compliance Risk Management Programs and
Oversight at Large Banking Organizations with
Complex Compliance.’’ The structure and reporting
lines for such an independent compliance risk
management function may vary across firms.
50 The development and ongoing update of a
firm’s risk tolerance is an iterative process, meaning
that several parties provide input on a continual
basis. IRM’s input into and evaluation of the risk
tolerance should fit into this overall process and
may occur at several different stages.
E:\FR\FM\11JAN1.SGM
11JAN1
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
srobinson on DSK9F5VC42PROD with NOTICES
commensurate with the firm’s risk
profile. For example, risk limits can
cover single counterparty credit
exposures, funding concentrations,
country exposures, or subprime lending
activities. Risk limits should be clear,
relevant, and current. IRM should create
lower-level risk limits, such as for an
individual business line, based on the
enterprise-wide risk limits.
Risk limits should be quantitative and
qualitative. For instance, quantitative
limits can be set relative to earnings,
assets, liabilities, capital, liquidity, or
other relevant benchmarks. IRM should
set qualitative limits—such as an expert
assessment to constrain business in a
given country—as a proxy for risks or
aspects of risks that are more difficult to
quantify. Risk limits should include
explicit thresholds that, if crossed,
strictly prohibit the activity generating
the risk.
To the extent possible, risk limits
should:
• Consider the range of possible
external conditions facing the firm over
a period of time;
• Consider the aggregation and
interaction of risks across the firm;
• Be consistent with the firm’s
financial resources, such as available
capital and liquidity, as well as with
non-financial aspects, such as
managerial, technological, and
operational resources; and
• Reinforce compliance with laws
and regulations, including those related
to consumer protection, and consistency
with supervisory expectations.
IRM should monitor and update risk
limits as appropriate, especially as the
firm’s risk tolerance is updated, the
firm’s risk profile changes, or external
conditions change. IRM should also
identify significant trends in risk levels
to evaluate whether risk-taking and risk
management practices are consistent
with the firm’s strategic objectives. IRM
should escalate to senior management
any material breaches of the firm’s
enterprise-wide risk limits and risk
tolerance, as well as instances where
IRM’s conclusions differ from the
conclusions of a business line.
2. Risk Identification, Measurement, and
Assessment
Principle: IRM should identify and
measure the firm’s risks.
IRM’s activities are conducted in
addition to business line risk
management activities described above
and should provide an objective, critical
perspective of a firm’s risks. IRM should
identify and measure current and
emerging risks within and across
business lines and risk types, as well as
any other relevant perspectives, such as
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
by legal entity or jurisdiction. Where it
is difficult to assess risks quantitatively,
IRM should still assess the impact of
those risks, such as through qualitative
means. IRM should conduct its risk
identification and measurement work
on an ongoing basis to reflect any
changes in exposures, business
activities, and the broader operating
environment, including changes in law
and supervisory expectations.
IRM should identify risk types,
including credit, market, operational,
liquidity, interest rate, legal, compliance
and related risks (such as consumer
protection and Bank Secrecy Act/antimoney laundering). IRM should
establish minimum internal standards
for all of its risk identification and
measurement practices to ensure
consistent quality across different risks.
IRM’s standards should include both
quantitative and qualitative elements,
with the latter especially important for
risks or aspects of risks that are more
difficult to quantify. The standards at a
firm should be dynamic, inclusive, and
comprehensive.
To conduct effective risk
identification and measurement, IRM
should have access to timely, reliable,
and comprehensive information about
all risk-related exposures and activities
in the firm. This should include
emerging or potential sources of risk.
IRM should seek input across the firm
in identifying risks. IRM may utilize
information collected or used from
business lines; however, IRM should not
rely on business line information
exclusively. IRM staff should also draw
upon external information, such as peer
data or market information, to
supplement their assessments.
IRM should regularly measure
identified risks under both normal and
stressful operating conditions. In
measuring risks, IRM should consider
the size and risk characteristics of the
firm’s exposures and business activities.
Within each risk type, IRM should rely
on a range of metrics and use measures
appropriate to different risk types.
Principle: IRM should aggregate risks
and provide an independent
assessment of the firm’s risk profile.
IRM should aggregate risks across the
entire firm and assess those risks
relative to the firm’s risk tolerance.51
IRM should identify material or critical
concentrations of risks and assess the
likelihood and potential impact of those
risks on the firm. Further, IRM should
identify activities or exposures that have
51 For example, IRM should be able to aggregate
all retail credit risk across the firm’s different
consumer business lines (such as credit cards,
residential mortgages, and auto lending).
PO 00000
Frm 00035
Fmt 4703
Sfmt 4703
1361
related risk factors and assess the
combined impact of those risk factors on
the firm. IRM should assess risk
information along different meaningful
dimensions at a more granular level
than firmwide, such as by business line,
geographic regions, obligors,
counterparties, and products, to
determine how those impact the firm’s
risk profile.
IRM should conduct risk assessments
using information from risk
identification, measurement, and
aggregation to determine the impact of
risks on the firm and to inform senior
management and the board about the
suitability of risk positions relative to
risk limits and the risk tolerance. IRM
should assess risks and risk drivers
within and across business lines and
risk types, as well as any other material
perspectives, such as by legal entity or
jurisdiction. Further, IRM should
analyze any assumptions related to risk
diversification. IRM also should assess
risk mitigation strategies, including the
effectiveness of such mitigation in a
range of circumstances, and recommend
alternatives if concerns arise.
IRM should identify information gaps,
uncertainties, and limitations in risk
assessments for senior management, and
as appropriate, for the board. For
instance, in analyzing a new product
area or business line, IRM should
acknowledge areas of insufficient
information that limit a complete
assessment of the risks and provide a
measured implementation plan to
obtain the necessary information.
3. Risk Reporting
Principle: IRM should provide the board
and senior management with risk
reports that accurately and concisely
convey relevant, material risk data
and assessments in a timely manner.
Risk reporting should be
comprehensive, useful, accurate, and
timely. Risk reporting should cover
current and emerging risk and
adherence to risk limits and risk
concentrations as well as the firm’s
ongoing strategic, capital, and liquidity
planning processes. Risk reporting
should enable prompt escalation and
remediation of material problems;
enhance appropriate and timely
responses to identified problems;
provide current and forward-looking
perspectives; and support or influence
strategic decision-making. Risk
reporting should provide information on
aggregate risks within and across
business lines and risk types, as well as
by legal entity or jurisdiction and
significant concentrations.
Risk reporting should be tailored to
meet the differing information needs of
E:\FR\FM\11JAN1.SGM
11JAN1
1362
Federal Register / Vol. 83, No. 8 / Thursday, January 11, 2018 / Notices
srobinson on DSK9F5VC42PROD with NOTICES
the board, senior management, and
others within the firm. The frequency of
reporting should depend on needs of the
firm and the materiality of the issues.
Risk reporting should adapt to market
downturns or stress events.
C. Internal Controls
Principle: A firm should identify its
system of internal control and
demonstrate that it is commensurate
with the firm’s size, scope of
operations, activities, risk profile,
strategy, and risk tolerance, and
consistent with all applicable laws
and regulations, including those
related to consumer protection.
Internal controls cover a wide range of
activities and processes, and could
include the following: 52
• Policies and procedures that set
expectations for and govern the firm’s
business activities and support
functions; establish appropriate levels of
authority, responsibility, and
accountability for overseeing and
executing the firm’s activities; and
establish standards for prudent risktaking behaviors.
• Clear assignment of roles and
responsibilities and appropriate
separation of duties.
• Physical controls for restricting
access to tangible assets.
• Approvals and appropriate dual
authorizations for key decisions,
transactions, and execution of
processes.
• Verifications of transaction details
and periodic reconciliations, such as
those comparing cash flows to account
records and statements.
• Access controls, change
management controls, data entry and
related controls.
• Escalation procedures with a
system of checks and balances in
situations that allow for managerial or
employee discretion.
Internal controls instill confidence in
financial reporting and are important to
ensure the integrity of the process and
information relied upon by the firm to
manage itself. Developing and
maintaining an effective system of
internal control is the responsibility of
several parties, including business line
management.53 Accordingly, a firm
should assign management
responsibilities for the establishment
and maintenance of internal controls.
To foster an appropriate control culture
52 See SR letter 03–5, ‘‘Amended Interagency
Guidance on the Internal Audit Function and its
Outsourcing.’’
53 As described below, the internal audit function
should examine, evaluate, and perform an
independent assessment of the firm’s internal
control system.
VerDate Sep<11>2014
00:05 Jan 11, 2018
Jkt 244001
within the firm, adequate control
activities should be integrated into the
daily functions of all relevant personnel.
All personnel should fully understand
and adhere to policies and procedures
affecting their duties and
responsibilities.
Principle: A firm should regularly
evaluate and test the effectiveness of
internal controls, and monitor
functioning of controls so that
deficiencies are identified and
communicated in a timely manner.
A firm should have mechanisms to
test its system of internal control and to
identify and escalate issues that appear
to compromise its effectiveness. A firm
should regularly evaluate and test the
quality, reliability and effectiveness of
internal controls, and monitor any
potential deterioration. Generally,
testing activities are conducted at
specific points in time, whereas
monitoring activities are continuous
processes. The scope, frequency, and
depth of testing should consider the
complexity of the firm, the results of the
firm’s risk assessments, and the number
and significance of the deficiencies
identified during prior testing. A firm
should test and monitor internal
controls using a risk-based approach,
prioritizing efforts on controls in areas
of highest risk and less effective
controls.
A firm should evaluate and
communicate internal control
deficiencies in a timely manner to those
parties responsible for taking corrective
action, including senior management.
Firms should establish management
information systems that track internal
control weaknesses and escalate serious
matters to the board, senior
management, and responsible business
line management, as appropriate.
D. Internal Audit
Principle: The internal audit function
should examine, evaluate, and
perform independent assessments of
the firm’s risk management and
internal control systems and report
findings to senior management and
the firm’s audit committee.
An effective internal audit function
provides independent assurance to the
board and senior management
concerning the effectiveness of risk
management and internal control
systems. The Federal Reserve issued
guidance outlining the key components
of an effective internal audit function in
SR letter 03–5, and followed that with
supplemental guidance in SR letter 13–
1/CA letter 13–1, ‘‘Supplemental Policy
Statement on the Internal Audit
Function and Its Outsourcing.’’ The
PO 00000
Frm 00036
Fmt 4703
Sfmt 4703
supplemental guidance builds upon the
2003 interagency guidance of SR letter
03–5 and further addresses the
characteristics, governance, and
operational effectiveness of a firm’s
internal audit function. That existing
audit guidance remains in place and is
not superseded by this guidance.
By order of the Board of Governors of the
Federal Reserve System, January 5, 2018.
Ann E. Misback,
Secretary of the Board.
[FR Doc. 2018–00294 Filed 1–10–18; 8:45 am]
BILLING CODE P
FEDERAL RESERVE SYSTEM
Formations of, Acquisitions by, and
Mergers of Bank Holding Companies
The companies listed in this notice
have applied to the Board for approval,
pursuant to the Bank Holding Company
Act of 1956 (12 U.S.C. 1841 et seq.)
(BHC Act), Regulation Y (12 CFR part
225), and all other applicable statutes
and regulations to become a bank
holding company and/or to acquire the
assets or the ownership of, control of, or
the power to vote shares of a bank or
bank holding company and all of the
banks and nonbanking companies
owned by the bank holding company,
including the companies listed below.
The applications listed below, as well
as other related filings required by the
Board, are available for immediate
inspection at the Federal Reserve Bank
indicated. The applications will also be
available for inspection at the offices of
the Board of Governors. Interested
persons may express their views in
writing on the standards enumerated in
the BHC Act (12 U.S.C. 1842(c)). If the
proposal also involves the acquisition of
a nonbanking company, the review also
includes whether the acquisition of the
nonbanking company complies with the
standards in section 4 of the BHC Act
(12 U.S.C. 1843). Unless otherwise
noted, nonbanking activities will be
conducted throughout the United States.
Unless otherwise noted, comments
regarding each of these applications
must be received at the Reserve Bank
indicated or the offices of the Board of
Governors not later than February 6,
2018.
A. Federal Reserve Bank of Chicago
(Colette A. Fried, Assistant Vice
President) 230 South LaSalle Street,
Chicago, Illinois 60690–1414:
1. Emmetsburg Bank Shares Inc.,
Emmetsburg, Iowa; to acquire 100
percent of the outstanding shares of
Panora State Bank, Panora, Iowa.
E:\FR\FM\11JAN1.SGM
11JAN1
]]>Agencies
[Federal Register Volume 83, Number 8 (Thursday, January 11, 2018)]
[Notices]
[Pages 1351-1362]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-00294]
=======================================================================
-----------------------------------------------------------------------
FEDERAL RESERVE SYSTEM
[Docket No. OP-1594]
Proposed Supervisory Guidance
AGENCY: Board of Governors of the Federal Reserve System (Board).
ACTION: Proposed supervisory guidance.
-----------------------------------------------------------------------
SUMMARY: The Board is seeking comment on proposed guidance describing
core principles of effective senior management, the management of
business lines, and independent risk management and controls for large
financial institutions. The proposal would apply to domestic bank
holding companies with total consolidated assets of $50 billion or
more; savings and loan holding companies with total consolidated assets
of $50 billion or more; the combined U.S. operations of foreign banking
organizations with combined U.S. assets of $50 billion or more; any
state member bank subsidiaries of the foregoing; and systemically
important nonbank financial companies designated by the Financial
Stability Oversight Council for supervision by the Board.
DATES: Comments must be received no later than March 15, 2018.
ADDRESSES: Interested parties are invited to submit written comments by
following the instructions for submitting comments at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
Email: [email protected]. Include the
docket number in the subject line of the message.
Fax: (202) 452-3819 or (202) 452-3102.
Mail: Address to Ann E. Misback, Secretary, Board of
Governors of the Federal Reserve System, 20th Street and Constitution
Avenue NW, Washington, DC 20551.
All public comments will be made available on the Board's website
at https://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as
submitted, unless modified for technical reasons. Accordingly, comments
will not be edited to remove any identifying or contact information.
Public comments may also be viewed electronically or in paper in Room
3515, 1801 K Street NW (between 18th and 19th Street NW), Washington,
DC 20006 between 9:00 a.m. and 5:00 p.m. on weekdays.
FOR FURTHER INFORMATION CONTACT: Michael Hsu, Associate Director, (202)
912-4330, Richard Naylor, Associate Director, (202) 728-5854, Vaishali
Sack, Manager, (202) 452-5221, April Snyder, Manager, (202) 452-3099,
David Palmer, Senior Supervisory Financial Analyst, (202) 452-2904,
Jennifer Su, Senior Supervisory Financial Analyst, (202) 475-6348,
Christine Graham, Senior Supervisory Financial Analyst, (202) 452-3005,
Division of Supervision and Regulation; Laurie Schaffer, Associate
General Counsel, (202) 452-2272, Benjamin W. McDonough, Assistant
General Counsel, (202) 452-2036, Scott Tkacz, Senior Counsel, (202)
452-2744, Keisha Patrick, Senior Counsel, (202) 452-3559, or
Christopher Callanan, Senior Attorney, (202) 452-3594, Legal Division,
Board of Governors of the Federal Reserve System, 20th and C Streets
NW, Washington, DC 20551. For the hearing impaired only,
Telecommunications Device for the Deaf (TDD) users may contact (202)
263-4869.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Background
II. LFI Rating System and Board Effectiveness Proposals
III. Implementation
IV. Objectives of the Proposed Guidance
V. Applicability
VI. Description of the Proposed Guidance
A. Core Principles of Effective Senior Management
B. Core Principles of the Management of Business Lines
C. Core Principles of Independent Risk Management and Controls
I. Background
The Board invites comment on proposed guidance setting forth core
principles of effective senior management, the management of business
lines, and independent risk management (``IRM'') and controls for large
financial institutions (``LFIs''). This proposal is part of a broader
initiative by the Federal Reserve to develop a supervisory rating
system and related supervisory guidance that would align with its
consolidated supervisory framework for LFIs. Drawing on lessons from
the 2007-2009 financial crisis, the Federal Reserve reevaluated its
approach to supervision of LFIs, including systemically important
firms. In 2010, the Federal Reserve established the Large Institution
Supervision Coordinating Committee (``LISCC'') to coordinate its
supervisory oversight for the systemically important firms that pose
the greatest risk to U.S. financial
[[Page 1352]]
stability.\1\ In 2012, the Federal Reserve implemented a new
consolidated supervisory program for LFIs (``LFI supervision
framework'') described in SR letter 12-17.\2\ The LFI supervision
framework is focused on four core areas--capital planning and
positions, liquidity risk management and positions, governance and
controls, and resolution planning.\3\
---------------------------------------------------------------------------
\1\ Presently, the LISCC portfolio consists of eight domestic
bank holding companies, four foreign banking organizations, and one
nonbank financial company designated by the Financial Stability
Oversight Council (``FSOC'') for supervision by the Federal Reserve.
The domestic bank holding companies are: (1) Bank of America
Corporation; (2) Bank of New York Mellon Corporation; (3) Citigroup
Inc.; (4) Goldman Sachs Group, Inc.; (5) JP Morgan Chase & Co.; (6)
Morgan Stanley; (7) State Street Corporation; and (8) Wells Fargo &
Company. The foreign banking organizations are: (1) Barclays PLC;
(2) Credit Suisse Group AG; (3) Deutsche Bank AG; and (4) UBS AG.
The nonbank financial company is Prudential Financial, Inc. The list
of firms included in the LISCC supervisory program is available at
https://www.federalreserve.gov/bankinforeg/large-institution-supervision.htm. Hereinafter in this preamble, these firms may be
referred to as ``LISCC firms.''
\2\ See SR letter 12-17/CA letter 12-14, ``Consolidated
Supervision Framework for Large Financial Institutions,'' (referred
to as ``SR letter 12-17'' in this preamble).
\3\ The Board previously set forth expectations for resolution
planning for domestic LISCC firms in SR letter 14-8, ``Consolidated
Recovery Planning for Certain Large Domestic Bank Holding
Companies.''
---------------------------------------------------------------------------
II. LFI Rating System and Board Effectiveness Proposals
In August 2017, the Board invited comment on two proposals that
relate to this guidance, a new rating system for LFIs (``proposed LFI
rating system'') \4\ and proposed guidance addressing supervisory
expectations for boards of directors (``BE proposal'').\5\ On November
17, 2017, the Board extended the public comment period for the proposed
LFI rating system and BE proposal until February 15, 2018, to give the
public an opportunity to understand and comment on the proposed LFI
rating system, the BE proposal, and this proposed guidance together.
---------------------------------------------------------------------------
\4\ 82 FR 39049 (August 17, 2017). The proposed LFI rating
system would apply to all bank holding companies with total
consolidated assets of $50 billion or more; all non-insurance, non-
commercial savings and loan holding companies with total
consolidated assets of $50 billion or more; and U.S. intermediate
holding companies of foreign banking organizations established
pursuant to the Federal Reserve's Regulation YY.
\5\ 82 FR 37219 (August 9, 2017).
---------------------------------------------------------------------------
The proposed LFI rating system would provide a supervisory
evaluation of whether a firm possesses sufficient financial and
operational strength and resilience to maintain safe and sound
operations through a range of conditions. Consistent with the LFI
supervision framework, the proposed LFI rating system would include
assessments of a firm's capital, liquidity, and governance and
controls. As discussed further below, the BE proposal and this proposal
set forth supervisory expectations relevant to the assessment of a
firm's governance and controls.
The governance and controls component would consist of three
elements: (i) Effectiveness of a firm's board of directors, (ii)
management of business lines and independent risk management and
controls, and (iii) recovery planning (for domestic LISCC firms only).
To facilitate comment on the proposed LFI rating system, the
preamble to the proposed LFI rating system included a summary which
previewed the proposed expectations included in this proposal. This
proposal is generally consistent with that summary, with two
exceptions. First, this proposal expands the scope of the guidance to
foreign banking organizations.\6\ Second, this proposal adopts slightly
different terminology than is used in the proposed LFI rating system to
describe expectations for the management of business lines. However,
the change does not change the substance of those expectations
described in the proposed LFI rating system.\7\ The Board would expect
to apply the terminology used in this guidance in any final LFI rating
system; however, this change would not impact the supervisory
assessment of a firm's management of business lines for purposes of the
governance and controls component rating.
---------------------------------------------------------------------------
\6\ The preamble to the proposed LFI rating system described the
management of business lines and IRM and controls for domestic LFIs,
and noted that adjustments to extend applicability of the guidance
to the U.S. operations of FBOs may be made prior to issuing this
guidance for public comment. This preamble highlights those
adjustments.
\7\ See discussion of this change in section VI.B of this
preamble.
---------------------------------------------------------------------------
The BE proposal sets forth attributes of an effective board of
directors. It is intended to better distinguish the supervisory
expectations for boards from those of senior management and encourage
boards to focus time and attention on their core responsibilities.\8\
The expectations in the BE proposal would inform the Board's evaluation
of the effectiveness of a firm's board of directors under the
governance and control component of the proposed LFI rating system.
---------------------------------------------------------------------------
\8\ ``Board'' or ``board of directors'' also refers to
committees of the board of directors, as appropriate.
At this time, recovery planning expectations apply only to
domestic bank holding companies in the LISCC portfolio. See SR
letter 14-8, ``Consolidated Recovery Planning for Certain Large
Domestic Bank Holding Companies.'' Should the Federal Reserve expand
the scope of recovery planning expectations to encompass additional
firms, this rating will reflect such expectations for the broader
set of firms.
---------------------------------------------------------------------------
III. Implementation
The proposed LFI rating system would provide a supervisory
evaluation of whether a firm possesses sufficient financial and
operational strength and resilience to maintain safe and sound
operations through a range of conditions. This proposed guidance builds
upon the proposed LFI rating system framework by providing additional
detail regarding supervisory expectations for a firm's management of
business lines and independent risk management and controls. For firms
that would be subject to the proposed LFI rating system, these
expectations would help inform the Federal Reserve's overall
supervisory evaluation, for purposes of the proposed LFI rating system,
of each firm's governance and controls to support the firm's financial
and operational strength and resilience, which would be reflected by
the governance and controls component rating under the proposed LFI
rating system.\9\
---------------------------------------------------------------------------
\9\ The Federal Reserve expects to finalize the proposed
guidance for use in assigning initial ratings under the LFI rating
system beginning in 2018. If the proposed LFI rating system were
finalized before this proposed guidance, the Federal Reserve would
use existing supervisory guidance to help inform its evaluation of
each firm's governance and controls for purposes of the proposed LFI
rating system, until such time that this proposed guidance is
finalized.
For firms that would be subject to this proposed guidance but
not subject to the proposed LFI rating system, this proposed
guidance would help inform the Federal Reserve's evaluation of the
firm's overall safety and soundness and the effectiveness of its
risk management practices.
---------------------------------------------------------------------------
The Federal Reserve would not expect to examine all of a firm's
business lines which are subject to this proposed guidance during a
single year. Instead, consistent with its current supervisory practice,
the Federal Reserve would use a risk-based approach to determine which
business lines of a firm to examine or review during the year. In
conducting its supervisory planning for an upcoming exam cycle, the
Federal Reserve would consider factors related to the potential for
weaknesses in a firm's governance and controls.\10\ Such factors would
include the size and complexity of the business line, recent
supervisory experience, the relative growth and maturity of the
business line, and significant changes to strategy, structure, or
management since the last
[[Page 1353]]
exam cycle. In order to minimize unnecessary duplication for firms
subject to this guidance, the Federal Reserve would, to the extent
possible, evaluate a firm's governance and controls in coordination
with other relevant Federal and state agencies, particularly the
primary regulators of the firm's insured depository institution
subsidiaries.
---------------------------------------------------------------------------
\10\ For supervisory planning purposes, the Federal Reserve may
reevaluate at any time which areas of a firm to examine or review,
as circumstances warrant.
---------------------------------------------------------------------------
IV. Objectives of the Proposed Guidance
The proposed guidance is intended to consolidate and clarify the
Federal Reserve's existing supervisory expectations regarding risk
management.\11\ In addition, the proposed guidance is designed to
delineate the roles and responsibilities for individuals and functions
related to risk management. It would complement the BE proposal by
aligning the attributes of senior management with those of an effective
board of directors. For instance, the BE proposal provides that an
effective board of directors sets the firm's strategy and risk
tolerance, and this proposal contemplates that the firm's senior
management implements the strategy and risk tolerance approved by the
board. In this way, the proposed guidance would better distinguish the
supervisory expectations for boards from those of senior management.
The proposal also defines the roles and responsibilities for various
individuals and functions within an organization that are accountable
for risk management, including a firm's senior management, business
line management, and independent risk management and audit functions.
Delineating roles and responsibilities for risk management should
enable the Federal Reserve to provide firms with more specific and
consistent supervisory feedback.
---------------------------------------------------------------------------
\11\ For firms subject to this proposed guidance, the proposed
guidance would supersede SR letter 95-51, ``Rating the Adequacy of
Risk Management Processes and Internal Controls at State Member
Banks and Bank Holding Companies.'' SR letter 95-51 was superseded
by SR letter 16-11 for state member banks, bank holding companies,
and savings and loan holding companies (including insurance and
commercial savings and loan holding companies) with less than $50
billion in total consolidated assets, and FBOs with consolidated
U.S. assets of less than $50 billion. See SR letter 16-11,
``Supervisory Guidance for Assessing Risk Management at Supervised
Institutions with Total Consolidated Assets Less than $50 Billion.''
---------------------------------------------------------------------------
V. Applicability
The proposed guidance would apply to domestic bank holding
companies with total consolidated assets of $50 billion or more;
savings and loan holding companies with total consolidated assets of
$50 billion or more; the combined U.S. operations of foreign banking
organizations (``FBOs'') with combined U.S. assets of $50 billion or
more; any state member bank subsidiaries of the foregoing; and
systemically important nonbank financial companies designated by FSOC
for supervision by the Board.\12\
---------------------------------------------------------------------------
\12\ As described in the proposed guidance, references to
``firm'' refer to all entities subject to this guidance, including
the combined U.S. operations of an FBO, unless the context requires
otherwise.
---------------------------------------------------------------------------
For FBOs, the proposed guidance would apply to an FBO's combined
U.S. operations, including branch and subsidiary operations. This scope
would be consistent with certain requirements of the Board's Regulation
YY, which requires, among other things, FBOs to establish a risk
management framework that covers both the U.S. branch and U.S. non-
branch subsidiary operations, establish a U.S. risk committee to
oversee the risks of the combined U.S. operations, and employ a chief
risk officer (``CRO'') based in the United States.\13\
---------------------------------------------------------------------------
\13\ 12 CFR 252.155. For an FBO, references to CRO mean the U.S.
CRO. Unlike this proposal, the BE proposal would not apply to the
U.S. operations of a foreign banking organization, due to concerns
of extraterritoriality and differences in organizational structure
and legal requirements in other jurisdictions. In the preamble to
the BE proposal, the Board stated that it was considering applying
that guidance to the boards of directors of U.S. intermediate
holding companies, and sought comment on that proposed application.
---------------------------------------------------------------------------
Given that an FBO's combined U.S. operations are part of a larger
global organization, the proposed guidance notes that certain elements
of an FBO's governance framework may be located outside of the United
States. In this event, the proposed guidance provides that these
elements should enable effective governance and risk management by the
U.S. senior management, the U.S. risk committee, and the intermediate
holding company (``IHC'') board (as applicable), and should facilitate
U.S. supervisors' ability to assess the adequacy of governance and
controls in the combined U.S. operations.
The proposed guidance also applies to nonbank financial companies
supervised by the Board and insurance or commercial savings and loan
holding companies with total consolidated assets of $50 billion or
more. The concepts set forth in the proposed guidance relate to
fundamental risk management practices that are applicable to all LFIs.
VI. Description of the Proposed Guidance
The proposed guidance is organized in three parts: (1) Core
principles of effective senior management; (2) core principles of the
management of business lines; and (3) core principles of IRM and
controls.
A. Core Principles of Effective Senior Management
The proposed guidance sets forth core principles of effective
senior management. Senior management is defined as the core group of
individuals directly accountable to the board of directors for the
sound and prudent day-to-day management of the firm. Under the board's
oversight, a firm's senior management is responsible for managing the
day-to-day operations of the firm and ensuring safety and soundness and
compliance with laws and regulations, including those related to
consumer protection, and internal policies and procedures. Two key
responsibilities of senior management are overseeing the activities of
the firm's business lines (individually and collectively) and the
firm's IRM and system of internal control. In addition to the general
expectations regarding senior management, the IRM and controls section
of the proposed guidance sets forth specific expectations for the CRO
and chief audit executive (``CAE''), as these individuals have specific
responsibilities related to IRM and internal audit, respectively.
The proposed guidance tailors the application of these expectations
for an FBO, given that the combined U.S. operations are part of a
larger global organization. For instance, the proposed guidance notes
that the risk tolerance for the combined U.S. operations may be
developed separately for the IHC and branch operations, respectively,
and notes that the strategy for the combined U.S. operations may mean
the manner in which the U.S. operations support the global strategy.
The proposal also notes that for an FBO, ``senior management'' can
refer to individuals located inside or outside the United States who
are accountable to the IHC board, U.S. risk committee, or global board
of directors with respect to the U.S. operations.\14\
---------------------------------------------------------------------------
\14\ To facilitate a full understanding by the FBO of risks
presented by the U.S. operations, the proposed guidance states that
senior management should fully understand U.S.-based risks and
communicate information on those risks to global management so that
U.S.-based risks are included in the aggregate risk assessment.
---------------------------------------------------------------------------
B. Core Principles of the Management of Business Lines
The proposed guidance sets forth core principles of the management
of business lines. Business line management is defined as the core
[[Page 1354]]
group of individuals responsible for the prudent day-to-day management
of the business line and who report directly to senior management.\15\
Business line management is expected to execute business line
activities consistent with the firm's strategy and risk tolerance,
identify and manage risk within the business line, provide sufficient
resources and infrastructure to the business line, ensure the business
line has the appropriate system of internal control, and ensure
accountability for operating within established policies and guidelines
and in accordance with laws and regulations, including those related to
consumer protection.
---------------------------------------------------------------------------
\15\ The proposed guidance defines a business line as a defined
unit or function of a financial institution, including associated
operations and support that provides related products or services to
meet the firm's business needs and those of its customers. This
definition would include units such as Corporate Treasury and IT
support. For an FBO, a business line would include all business
lines that are present in the United States.
---------------------------------------------------------------------------
For a LISCC firm, due to its size, risk profile, and systemic
importance of operations, the core principles of the management of
business lines would apply to all of the firm's business lines. For an
LFI that is not a LISCC firm, the core principles of the management of
business lines would apply to any business line where a significant
control disruption, failure, or loss event could result in a material
loss of revenue, profit, or franchise value, or result in significant
consumer harm.\16\ The proposed guidance uses slightly different
terminology than the proposed LFI rating system to describe the core
principles of the management of business lines. The proposed LFI rating
system referred to these principles as relating to the ``management of
core business lines.'' For a LISCC firm, ``core'' business lines were
defined to include all business lines, whereas for other LFIs, ``core''
business lines were defined to include any business line where a
significant control disruption, failure, or loss event could result in
a material loss of revenue, profit, or franchise value, or result in
significant consumer harm. Although this proposal uses the term
``management of business lines,'' the principles would apply to the
same business lines that were identified as ``core'' in the proposed
LFI rating system. The revised terminology is intended to simplify the
guidance.
---------------------------------------------------------------------------
\16\ Any business line of an LFI that is not a LISCC firm which
does not meet this definition (and thus would not be subject to the
core principles of the management of business lines included in Part
II of the proposed guidance) would be expected to maintain
appropriate risk management practices to ensure the firm's safety
and soundness. In addition, the supervisory expectations concerning
effective senior management oversight and IRM and controls described
in Parts I and III of the proposed guidance, respectively, would
apply across the entire firm. For example, supervisory expectations
regarding senior management's responsibility for maintaining and
implementing an effective risk management framework and ensuring
that the firm appropriately manages risk consistent with the firm's
strategy and risk tolerance extends to its management of the firm as
a whole, and not be limited to the individual business lines covered
by Part II of the proposed guidance.
---------------------------------------------------------------------------
The proposed guidance does not include specific expectations
regarding organizational structure at firms and states that business
line management may also serve as senior management. If business line
management is not part of senior management, business line management
is responsible for fully engaging senior management, so that senior
management can effectively carry out their responsibilities.
For an FBO, the proposed guidance acknowledges that a business line
in the United States may be part of a larger global business line and
clarifies that the guidance applies only to that portion of the
business conducted in the United States. The proposed guidance notes
that business line management should ensure that business line risks
are comprehensively captured, with consideration given to risks outside
of the United States that may impact the FBO's U.S. operations.\17\
---------------------------------------------------------------------------
\17\ Conversely, to ensure that risks of the U.S. operations are
appropriately communicated to global management, business line
management would be expected to provide sufficient information to
global management and escalate issues, as appropriate, to enable an
understanding of U.S. risk.
---------------------------------------------------------------------------
C. Core Principles of Independent Risk Management and Controls
The proposed guidance describes core principles of a firm's IRM and
controls, which refers to a firm's independent risk management
function, system of internal control, and internal audit function.\18\
The proposal sets forth responsibilities of the CRO and CAE, the
members of senior management responsible for IRM and internal audit,
respectively. As described in the proposed guidance, both the CRO and
CAE should have clear roles and responsibilities to establish and
maintain an IRM and internal audit function, respectively, that are
appropriate for the size, complexity, and risk profile of the firm.
---------------------------------------------------------------------------
\18\ The proposed guidance defines the term ``internal
controls'' as the policies, procedures, systems and processes
designed to provide reasonable assurance regarding: The
effectiveness and efficiency of operations; reliability of financial
reporting (including risk reporting); compliance with laws and
regulations (including those related to consumer protection); and
safeguarding of assets and information.
---------------------------------------------------------------------------
The proposed guidance describes expectations for a firm's IRM,
which include evaluating the firm's risk tolerance; establishing
enterprise-wide risk limits and monitoring adherence to those limits;
identifying, measuring, and aggregating risks; providing an independent
assessment of the firm's risk profile; and providing risk reports to
the board and senior management. The proposed guidance builds upon the
framework set forth in Regulation YY, which requires a firm to have an
independent risk management function.\19\
---------------------------------------------------------------------------
\19\ 12 CFR 252.33, 252.155. See also SR letter 12-17.
---------------------------------------------------------------------------
While IRM would be expected to evaluate the firm's risk tolerance,
the proposed guidance would not set the expectation that IRM would have
sole responsibility for the risk tolerance. Depending on a firm's
organizational structure, it may be appropriate for business line
management to provide input into the risk tolerance or drive its
development. The proposed guidance would assign responsibility for
enterprise-wide risk limits to IRM, but acknowledge that business line
management may develop its own limits for internal business line use
and may provide input to the risk limit-setting process defined by IRM.
However, the internal limits of a business line should not be less
stringent than the limits set by IRM because the IRM limits should be
the operative, formal, and binding limits across the firm.
For internal controls, the proposed guidance expands upon the
expectation for internal controls described in SR letter 12-17. As
described in the proposed guidance, a firm should identify its system
of internal control and demonstrate that that system is commensurate
with the firm's size, scope of operations, activities, risk profile,
strategy, and risk tolerance; demonstrate that it is consistent with
all applicable laws and regulations; regularly evaluate and test the
effectiveness of internal controls; and monitor the functioning of
controls so that deficiencies are identified and communicated in a
timely manner. The proposed guidance provides that developing and
maintaining effective internal controls is the responsibility of
several parties, including business line management.
The strength of a firm's internal audit practices are an important
consideration in the Federal Reserve's supervisory assessment of the
effectiveness of the firm's governance and controls. This proposed
guidance would not expand upon the Federal Reserve's expectations
[[Page 1355]]
for internal audit; instead the proposed guidance references existing
guidance.\20\
---------------------------------------------------------------------------
\20\ The Federal Reserve issued guidance outlining the key
components of an effective internal audit function in SR letter 03-
5, ``Amended Interagency Guidance on the Internal Audit Function and
its Outsourcing,'' and followed that with supplemental guidance in
SR letter 13-1/CA letter 13-1, ``Supplemental Policy Statement on
the Internal Audit Function and Its Outsourcing.''
---------------------------------------------------------------------------
VII. Request for Comments
The Board invites comments on all aspects of the proposed guidance,
including responses to the following questions:
(1) What considerations beyond those outlined in this proposal
should be considered in the Federal Reserve's assessment of whether an
LFI has sound governance and controls such that the firm has sufficient
financial and operational strength and resilience to maintain safe and
sound operations?
(2) How could the roles and responsibilities between the board of
directors set forth in the proposed board effectiveness guidance, and
between the senior management, business line management, and IRM be
clarified?
(3) What, if any, aspects of the structure and coverage of IRM and
controls should be addressed more specifically by the guidance?
(4) The proposal tailors expectations for FBOs, recognizing that
the U.S. operations are part of a larger organization. How could this
tailoring be improved?
(5) In what ways, if any, does the guidance diverge from industry
practice? How could the guidance better reflect industry practice while
facilitating effective risk management and controls? Are there any
existing standards for internal control frameworks to which the
guidance should follow more closely?
(6) Other supervisory communications have used the term ``risk
appetite'' instead of risk tolerance. Are the terms ``risk appetite''
and ``risk tolerance'' used interchangeably within the industry, and
what confusion, if any, is created by the terminology used in this
guidance?
(7) The proposal would adopt different terminology than is used in
the proposed LFI rating system, and the Board expects to align the
terminology so the element in the governance and controls component
would change from ``management of core business lines'' to ``management
of business lines.'' Does this proposal clearly explain this expected
change? Do commenters anticipate any impact from this change?
Paperwork Reduction Act
In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3501-3521) (``PRA''), the Board may not conduct or sponsor, and a
respondent is not required to respond to, an information collection
unless it displays a currently valid Office of Management and Budget
(``OMB'') control number. The Board reviewed the proposed supervisory
guidance under the authority delegated to the Board by OMB.
The proposed supervisory guidance contains a collection of
information subject to the PRA. Recordkeeping requirements are found in
the proposed guidance. Among expectations for business line management,
the proposed guidance states that business line management should
establish specific business and risk objectives for business lines, and
establish policies and guidelines that delineate accountability within
the business line. In addition, the proposed guidance sets expectations
for a firm's IRM function, including related to the scope of a firm's
risk limits and an expectation for written risk assessment that would
be provided to the senior management and, as appropriate, the board.
The proposed guidance also sets expectations for internal audit,
including an expectation for an internal audit risk assessment and
audit reports.
Comments are invited on:
a. Whether the collections of information are necessary for the
proper performance of the Board's functions, including whether the
information has practical utility;
b. The accuracy or the estimate of the burden of the information
collections, including the validity of the methodology and assumptions
used;
c. Ways to enhance the quality, utility, and clarity of the
information to be collected;
d. Ways to minimize the burden of the information collections on
respondents, including through the use of automated collection
techniques or other forms of information technology; and
e. Estimates of capital or startup costs and costs of operation,
maintenance, and purchase of services to provide information.
All comments will become a matter of public record. Comments on
aspects of this notice that may affect reporting, recordkeeping, or
disclosure requirements and burden estimates should be sent to:
Secretary, Board of Governors of the Federal Reserve System, 20th and C
Streets NW, Washington, DC 20551. A copy of the comments may also be
submitted to the OMB desk officer by mail to U.S. Office of Management
and Budget, 725 17th Street NW, #10235, Washington, DC 20503; facsimile
to (202) 395-6974; or email to [email protected], Attention,
Federal Banking Agency Desk Officer.
Proposed Information Collection
Report title: Governance and Controls Guidance.
Agency form number: FR 4204.
OMB control number: 7100-NEW.
Frequency: Annual.
Respondents: Domestic bank and savings and loan holding companies
with total consolidated assets of $50 billion or more, systemically
important nonbank financial companies designated by FSOC for
supervision by the Board, the U.S. operations of FBOs with combined
U.S. assets of $50 billion or more, and state member bank subsidiaries
of the foregoing.
Legal authorization and confidentiality: This information
collection is voluntary. The Board has determined that the collection
of information is authorized by section 5(c) of the Bank Holding
Company Act (12 U.S.C. 1844(c)), section 10(b) of the Homeowners' Loan
Act (12 U.S.C. 1467a(b)(4), section 113 of the Dodd-Frank Act (12
U.S.C. 5323). The information contained would be considered
confidential pursuant to exemption 8 of the Freedom of Information Act
(5 U.S.C. 552(b)(8)).
Estimated number of respondents: 56.
Estimated average hours per response: 3,872 hours initial setup,
560 hours for ongoing.
Estimated annual burden hours: 216,832 hours initial setup, 31,360
hours for ongoing.
Regulatory Flexibility Analysis
The Federal Reserve is providing an initial regulatory flexibility
analysis with respect to this proposal. While the proposed guidance is
not being adopted as a rule, the Federal Reserve has considered the
potential impact of the proposal on small banking organizations using
considerations that would apply if the Regulatory Flexibility Act, 5
U.S.C. 601 et seq. (``RFA'') were applicable. Based on the Board's
analysis and for the reasons stated below, the Board believes that the
proposed guidance will not have a significant economic impact on a
substantial number of small entities.
Under regulations issued by the Small Business Administration, a
small entity includes a depository institution, bank holding company,
or savings and loan holding company with assets of $550 million or less
(``small banking
[[Page 1356]]
organizations''). As of June 1, 2017, there were approximately 3,539
small banking organizations. As described above, the proposed guidance
would apply only to all bank holding companies with total consolidated
assets of $50 billion or more; state member banks of such bank holding
companies; all savings and loan holding companies with total
consolidated assets of $50 billion or more; systemically important
nonbank financial companies designated by FSOC for supervision by the
Federal Reserve; and the U.S. operations of FBOs with combined U.S.
assets of $50 billion or more. Small banking organizations would
therefore not be subject to the proposed guidance. As a result, the
proposed guidance should have any impact on small banking
organizations. In light of the foregoing, the Board believes that the
proposed guidance will not have a significant economic impact on small
banking organizations supervised by the Board.
Text for the Proposed Supervisory Guidance on Management of Business
Lines and Independent Risk Management and Controls for Large Financial
Institutions
Introduction
Governance and controls involves (i) the oversight of a firm by its
board of directors, (ii) management of business lines and independent
risk management (IRM) and controls, and (iii) for domestic Large
Institution Supervision Coordinating Committee (LISCC) firms only,
recovery planning. This guidance sets forth the second part of the
Federal Reserve's expectations for large financial institutions (LFIs
or firms)--core principles of the management of business lines and IRM
and controls. This guidance also builds upon supervisory guidance
previously issued by the Federal Reserve.\21\
---------------------------------------------------------------------------
\21\ See SR letter 12-17/CA letter 12-14, ``Consolidated
Supervision Framework for Large Financial Institutions.'' Other laws
and regulations set forth requirements for corporate governance and
risk management, including the risk and liquidity risk management
requirements in Regulation YY (12 CFR part 252).
---------------------------------------------------------------------------
Guidance related to the first part of governance and controls, the
oversight of a firm by its board of directors (BE Guidance), was
released earlier.\22\ It describes attributes of an effective board of
directors and distinguishes a board's responsibilities from those of a
firm's senior management.
---------------------------------------------------------------------------
\22\ See 82 FR 37219 (August 9, 2017) for the proposed
Supervisory Guidance on Board of Directors' Effectiveness for
Domestic Bank and Savings and Loan Holding Companies With Total
Consolidated Assets of $50 Billion or More (Excluding Intermediate
Holding Companies of Foreign Banking Organizations Established
Pursuant to the Federal Reserve's Regulation YY), and Systemically
Important Nonbank Financial Companies Designated by the Financial
Stability Oversight Council for Supervision by the Federal Reserve.
---------------------------------------------------------------------------
Like the BE Guidance, the supervisory expectations described in
this guidance regarding the management of business lines and IRM and
controls would help inform the Federal Reserve's overall supervisory
evaluation of a firm's governance and controls to support the firm's
financial and operational strength and resilience. Among other factors,
this evaluation would be an input to the governance and controls
component rating under the proposed LFI rating system.\23\
---------------------------------------------------------------------------
\23\ See 82 FR 39049 (August 17, 2017) for the proposed large
financial institutions rating system (LFI rating system). For firms
that would be subject to this guidance but not subject to the
proposed LFI rating system, this guidance would help inform the
Federal Reserve's evaluation of the firm's overall safety and
soundness and the effectiveness of its risk management practices.
---------------------------------------------------------------------------
I. Applicability
The guidance applies to domestic bank holding companies (BHCs) and
domestic savings and loan holding companies with total consolidated
assets of $50 billion or more, the combined U.S. operations of foreign
banking organizations (FBOs) with combined U.S. assets of $50 billion
or more, and any state member bank subsidiaries of the foregoing. The
guidance also applies to systemically important nonbank financial
companies designated by the Financial Stability Oversight Council
(FSOC) for supervision by the Board.
Application to Foreign Banking Organizations
Regulation YY requires FBOs with combined U.S. assets of $50
billion or more to maintain a U.S. risk committee to oversee the risk
management framework of the combined U.S. operations.\24\ Regulation YY
also requires FBOs with U.S. non-branch assets of $50 billion or more
to establish an intermediate holding company (IHC), which is governed
by a board of directors or managers with equivalent rights, powers,
privileges, duties, and responsibilities to those of a board of
directors of a domestic corporation.\25\ The Federal Reserve's
expectations for governance of the combined U.S. operations of an FBO
are generally consistent with its expectations for governance of large
domestic firms and, in this guidance, a reference to ``firm'' should be
taken also as a reference to the combined U.S. operations of an FBO,
unless the context requires otherwise. Given that an FBO's combined
U.S. operations are part of a larger global organization, the Federal
Reserve anticipates that certain elements of an FBO's governance
framework may be located outside of the United States. In this event,
these elements should enable effective governance and risk management
by the U.S. senior management, the U.S. risk committee, and the IHC
board (as applicable), and should facilitate U.S. supervisors' ability
to assess the adequacy of governance and controls in the combined U.S.
operations.
---------------------------------------------------------------------------
\24\ 12 CFR 252.155(a).
\25\ 12 CFR 252.153(a)(2)(ii).
---------------------------------------------------------------------------
Core Principles of Effective Senior Management, Management of Business
Lines, and Independent Risk Management (IRM) and Controls
This guidance sets forth core principles of effective senior
management, the management of a firm's business lines \26\ and IRM and
controls.\27\
---------------------------------------------------------------------------
\26\ For a LISCC firm, due to its size, risk profile, and
systemic importance, the guidance would apply to all of the firm's
business lines. For an LFI that is not a LISCC firm, the
expectations for management of business lines would apply only to
business lines where a significant control disruption, failure, or
loss event would result in a material loss of revenue, profit, or
franchise value, or result in significant consumer harm. Other
business lines of these firms which do not meet that definition
would be expected to maintain appropriate risk management practices
to ensure the firm's safety and soundness. The expectations included
in this guidance relating to effective senior management oversight
and IRM and controls would apply across the entire firm, and are not
limited to the individual business lines that are subject to the
expectations concerning the management of business lines.
\27\ IRM and controls refers to a firm's independent risk
management function, system of internal control, and internal audit
function.
---------------------------------------------------------------------------
I. Core Principles of Effective Senior Management
Principle: Senior management is responsible for managing the day-to-day
operations of the firm and ensuring safety and soundness and compliance
with internal policies and procedures, laws, and regulations, including
those related to consumer protection.
Under the board's oversight, a firm's senior management is
responsible for managing the day-to-day operations of the firm, and for
ensuring safety and soundness and compliance with internal policies and
procedures, laws, and regulations, including those related to consumer
protection.\28\ Two key
[[Page 1357]]
responsibilities of senior management are overseeing the activities of
the firm's business lines (individually and collectively) and the
firm's IRM and controls.
---------------------------------------------------------------------------
\28\ The term ``senior management'' refers to the core group of
individuals directly accountable to the board of directors for the
sound and prudent day-to-day management of the firm. For an FBO,
``senior management'' can refer to individuals located inside or
outside the United States who are accountable to the IHC board, U.S.
risk committee, or global board of directors with respect to the
U.S. operations.
``Board'' or ``board of directors'' also refers to committees of
the board of directors, as appropriate.
---------------------------------------------------------------------------
Senior management is responsible for implementing the firm's
strategy and risk tolerance approved by the board.\29\ Senior
management should implement the strategic and risk objectives across
the firm to support the firm's long-term resiliency and safety and
soundness, including the firm's ability to withstand the impact of a
range of stressed conditions.\30\ Senior management should ensure the
firm's infrastructure, staffing, and resources are sufficient to carry
out the firm's strategy and manage the firm's activities in a safe and
sound manner, and in compliance with applicable laws and regulations,
including those related to consumer protection, as well as policies,
procedures, and limits. Senior management should also identify when
there is a risk that the firm's activities collectively may deviate
from the firm's strategy and risk tolerance and escalate such instances
to the board of directors.
---------------------------------------------------------------------------
\29\ See 82 FR 37219 (August 9, 2017). ``Risk tolerance'' is
defined as the aggregate level and types of risk the board and
senior management are willing to assume to achieve the firm's
strategic business objectives, consistent with applicable capital,
liquidity, and other requirements and constraints.
For an FBO, the U.S. risk committee should approve the risk
tolerance for the combined U.S. operations (which may be developed
separately for the IHC and branch operations, respectively). The
strategy for the combined U.S. operations may mean the manner in
which the U.S. operations support the global strategy.
\30\ Risk objectives are the level and type of risks a business
line plans to assume in its activities relative to the level and
type specified in the firmwide risk tolerance. For example, a
residential mortgage business unit should specify the level and type
of credit risk, interest-rate risk, or other risks it plans to
assume in its activities relative to the level and type specified in
the risk tolerance.
---------------------------------------------------------------------------
Senior management is responsible for maintaining and implementing
an effective risk management framework and ensuring the firm
appropriately manages risk consistent with its strategy and risk
tolerance.\31\ This includes establishing clear responsibilities and
accountability for the identification, measurement, management, and
control of risk. Senior management is responsible for promoting and
enforcing prudent risk-taking behaviors and business practices,
including through the firm's compensation and performance management
programs. Senior management is responsible for developing and
maintaining the firm's policies and procedures and system of internal
control, commensurate with the firm's size, scope of operations,
activities, and risk profile, to ensure compliance with laws and
regulations, including those related to consumer protection, and
consistency with supervisory expectations.\32\ Senior management should
also periodically assess the risk management framework as a whole to
ensure that the framework remains comprehensive and appropriate and has
kept pace with changes in the business line's products, services, and
activities as well as changes in economic conditions and the broader
market environment.
---------------------------------------------------------------------------
\31\ For FBOs, regardless of whether a firm's senior management
resides in the United States, senior management should fully
understand the risks of U.S operations and communicate information
on the risks of combined U.S. operations to global management so
that these risks are included in the aggregate risk assessment of
the global organization. Further, senior management with authority
over budgeting or strategy for the combined U.S. operations should
allocate appropriate resources and expertise to meet the
expectations of this guidance.
\32\ The term ``internal controls'' refers to the policies,
procedures, systems and processes designed to provide reasonable
assurance regarding: The effectiveness and efficiency of operations;
reliability of financial reporting (including risk reporting);
compliance with laws and regulations (including those related to
consumer protection); and safeguarding of assets and information.
---------------------------------------------------------------------------
Senior management should ensure effective communication and
information sharing across the entire firm. Senior management should
also address any impediments to the effective flow of information,
including those that could result in decisions being made or actions
being taken in isolation.
In overseeing the firm's day-to-day operations, senior management
should base its decisions and actions, as well as its communications
with the board, on a full understanding of the firm's risks and
activities. Therefore, senior management should have in place robust
mechanisms for:
Keeping apprised of drivers and trends related to current
and emerging risks, material limit breaches, and other material issues;
Maintaining and assessing the firm's system of internal
control;
Staying informed about material deficiencies and
limitations in risk management and control practices, and ensuring that
such deficiencies are remediated in a timely fashion;
Assessing the potential impact of the firm's activities
and risk positions on the firm's capital,\33\ liquidity, and overall
risk profile;
---------------------------------------------------------------------------
\33\ References to ``capital'' in this section are not
applicable to branches or agencies of an FBO.
---------------------------------------------------------------------------
Assessing the firm's financial and nonfinancial
performance relative to the firm's strategy and risk objectives;
Maintaining robust management information systems to
support oversight of the firm's activities and risk positions, and to
provide information to the board; and
Maintaining current succession and contingency staffing
plans for key positions.
Senior management is responsible for providing timely, useful, and
accurate information to the board. Senior management should also be
responsive to direction from the board and to the board's informational
needs. Further, senior management is responsible for ensuring
resolution of risk management issues (including those identified by the
firm and outstanding supervisory matters), escalating issues to the
board, and communicating issues internally when appropriate. Senior
management should regularly report to the board on responses to, and
remediation of, material audit and supervisory findings, risk
management and control deficiencies, material compliance issues
(including those related to consumer protection), and the outcomes of
risk reviews which may result in remedial actions.
II. Core Principles of the Management of Business Lines
This section sets forth core principles of the management of
business lines, including critical operations.\34\ As used in this
guidance, business line management refers to the core group of
individuals responsible for prudent day-to-day management of a business
line and accountable to senior management for that responsibility.\35\
---------------------------------------------------------------------------
\34\ A business line is a defined unit or function of a
financial institution, including associated operations and support
that provides related products or services to meet the firm's
business needs and those of its customers. Under certain
organizational structures, a business line may cross legal entities
or geographic jurisdictions.
``Critical operations'' are those operations, including
associated services, functions and support, the failure or
discontinuance of which, in the view of the firm or the Federal
Reserve, would pose a threat to the financial stability of the
United States. All of the expectations for the management of
business lines apply to critical operations.
\35\ Depending on a firm's organizational structure, business
line management may or may not be members of senior management. If
management of a business line is not a member of senior management,
business line management is responsible for fully engaging senior
management, so that senior management can effectively carry out its
responsibilities.
---------------------------------------------------------------------------
For a LISCC firm, due to its size, risk profile, and systemic
importance, these principles apply to all of the firm's business lines.
For an LFI that is not a LISCC firm, these principles apply to
[[Page 1358]]
any business line in which a significant control disruption, failure,
or loss event could result in a material loss of revenue, profit, or
franchise value, or result in significant consumer harm.
A business line may cross legal entities or geographic
jurisdictions. In instances where a business line of an FBO is part of
a larger business conducted outside of the United States, expectations
apply only to the portion of that business conducted in the United
States.\36\
---------------------------------------------------------------------------
\36\ Business line management of the U.S. operations should
ensure that business line risks are captured comprehensively with
consideration given to risks outside the United States that may
impact the FBO's combined U.S. operations. Moreover, business line
management should provide sufficient information to global
management and escalate issues, as appropriate, to enable an
understanding of the risks from the combined U.S. operations.
---------------------------------------------------------------------------
This section is organized as follows:
A. Implementation and Execution of Strategy and Risk Tolerance
B. Risk Identification and Risk Management
C. Resources and Infrastructure
D. Business Controls
E. Accountability
A. Implementation and Execution of Strategy and Risk Tolerance
Principle: Business line management should execute business line
activities consistent with the firm's strategy and risk tolerance.
Business line management should establish specific business and
risk objectives for each business line that align with the firmwide
strategy and risk tolerance. Business line management should inform
senior management when the business line's risk management capabilities
are insufficient to achieve those business and risk objectives. In
addition, during the strategic planning process with senior management,
business line management should clearly present the risks emanating
from the business line's activities. Business line management should
explain how those risks are managed and align with the firm's risk
tolerance.
Business line management should provide information to senior
management regarding the business line's current and potential risk
profile and its alignment with the firm's risk tolerance. Information
reported should enable senior management to make critical decisions
about the business line's strategic direction and risks.
B. Risk Identification and Risk Management
Principle: Business line management should identify, measure, and
manage the risks associated with the business activities under a broad
range of conditions, incorporating input from IRM.\37\
---------------------------------------------------------------------------
\37\ As noted in the Independent Risk Management and Controls
section below, IRM is responsible for conducting a separate,
objective, critical assessment of risks and risk-taking across the
entire firm, separate from the business line's risk management
activities.
Business line management should identify, measure, and manage
current and emerging risks that stem from the business line's
activities and changes to external conditions.\38\ Where it is
difficult to assess risks quantitatively, business line management
should still assess the impact of those risks, such as through
qualitative means. These risks should include significant exposures and
activities, both on-balance and off-balance sheet, and any other
potential sources of risk related to the business line's activities.
Business line management should incorporate appropriate feedback from
IRM on business line risk positions, implementation of the risk
tolerance, and risk management practices, including risk mitigation.
---------------------------------------------------------------------------
\38\ Emerging risks include those that have yet to create a
material impact or would only arise during stressful or unlikely
circumstances. The risk assessment should include all relevant
risks, both financial and non-financial, including compliance risk.
---------------------------------------------------------------------------
In measuring risks, business line management should consider the
size and risk characteristics of the business line's exposures and
business activities. Business line management should aggregate risks,
including by business activities or products. For instance, management
of a large commercial lending business line should understand risks
affecting the business line as a whole, and also within segments of the
business line, such as large corporate exposures, commercial real
estate loans, and small business lending.
The activities of a business line should remain within risk limits
established by IRM.\39\ Business line management should consult with
senior management before allowing any exceptions to risk limits.\40\
This consultation should culminate in a well-supported decision by
management to accept the risk or reduce its risk exposure. Business
line management should subject any exceptions to risk limits to the
firm's formal approval process. A business line may need to employ risk
mitigation strategies to remain aligned with the firmwide strategy and
risk tolerance.
---------------------------------------------------------------------------
\39\ Business line management may develop its own limits for
internal business line use and may provide input to the risk limit-
setting process defined by IRM. However, the internal limits of a
business line should not be less stringent than the limits set by
IRM because the limits set by IRM should be the operative, formal,
and binding across the firm.
\40\ Business line management should evaluate breaches of risk
limits to determine whether a breach represents a weakness in the
monitoring or limits framework for the business lines, and take
appropriate remedial action.
---------------------------------------------------------------------------
A firm should have policies and procedures for vetting new business
products and initiatives. Risks from new businesses should be
identified and captured in risk management governance, infrastructure,
compliance, and processes before commencing the new business. Business
line management should escalate to senior management any required
changes or modifications to risk management systems or internal control
policies and procedures arising from the adoption of a new business or
initiative. Additionally, growth in the new business should be
consistent with the firm's risk management capabilities.
C. Resources and Infrastructure
Principle: Business line management should provide a business line with
the resources and infrastructure sufficient to manage the business
line's activities in a safe and sound manner, and in compliance with
applicable laws and regulations, including those related to consumer
protection, as well as policies, procedures, and limits.
Business line management should provide a business line with
sufficient resources and infrastructure to meet strategic objectives
while maintaining financial and operational strength and resilience
over a range of operating conditions, including stressful ones.\41\
Sufficient resources and infrastructure include personnel with
appropriate training and expertise and management information systems.
Business line management should inform senior management if the
business line's resources and infrastructure are insufficient to meet
its business objectives.
---------------------------------------------------------------------------
\41\ ``Financial strength and resilience'' is defined as
maintaining effective capital and liquidity governance and planning
processes, and sufficiency of related positions, to provide for
continuity of the consolidated organization and its core business
lines, critical operations, and banking offices through a range of
conditions.
``Operational strength and resilience'' is defined as
maintaining effective governance and controls to provide for
continuity of the consolidated organization and its core business
lines, critical operations, and banking offices, and promote
compliance with laws and regulations, including those related to
consumer protection, through a range of conditions.
---------------------------------------------------------------------------
Business line management should ensure that the business line's
[[Page 1359]]
infrastructure is sound and appropriate for the intended specific
business activities and that management information systems are
sufficiently flexible to produce ad hoc and more frequent reporting
when necessary. Business line management should address any gaps or
weaknesses identified in the existing infrastructure and escalate to
senior management if appropriate.
Business line management should ensure that the business line has:
Clearly defined staff roles and responsibilities for key
positions, as well as management reporting lines;
Appropriate separation of duties and internal controls for
effectively managing risk associated with its business strategy;
Staff with skills and experience commensurate with the
business line's activities and risks; and
Succession and contingency plans for key positions.
Business line management should provide training and development to
its staff to ensure sufficient knowledge of business line activities;
compliance, operations and risk management processes; controls; and
business continuity. Business line management should reinforce balanced
risk-taking and provide incentives for appropriate behaviors through
talent management processes, compensation arrangements, and other
performance management processes.
D. Business Controls
Principle: Business line management should ensure that the internal
control system is effective for the business line operations.
Business line management should develop and maintain an effective
system of internal control for its business line that helps to ensure
compliance with laws and regulations, including those related to
consumer protection, and supports effective risk management.\42\ For
example, a business line's system of internal control should include
access controls, change controls, and data integrity controls,
including data reconciliations, variance analysis, and data quality
logic checks. The system of internal control for a business line should
be commensurate with the business line's size, scope of operations,
activities, and risk profile. A comprehensive system of internal
control includes policies, procedures, systems, and processes specific
to the business line.
---------------------------------------------------------------------------
\42\ In developing and maintaining its system of internal
control, a business line may use the internal controls that are in
place across the firm.
---------------------------------------------------------------------------
Business line management should regularly test to ensure the
controls within its business line are functioning as expected and are
effective in managing risks. More frequent testing is appropriate for
key controls, or controls that have undergone a material change.
Business line management should ensure that deficiencies in control
design and operating effectiveness are remediated. Business line
management should provide periodic reports on the operation of controls
to senior management and escalate to senior management material
internal control deficiencies and any systematic control violations.
Finally, business line management should reassess all key controls
periodically to ensure relevancy and alignment with current approved
policies.
E. Accountability
Principle: Business line management and staff are accountable for
operating within established policies and guidelines, and acting in
accordance with applicable laws, regulations, and supervisory guidance,
including those related to consumer protection.
Business line management should establish policies and guidelines
that specify accountability, set forth clear lines of management
authority within the business line, and clearly align desired behavior
with the firm's performance management incentives. Business line
management should hold their staff accountable to the extent behavior
that is inconsistent with the board and senior management directives
and inform senior management as appropriate. Business line management
should ensure that training for new and existing employees explicitly
addresses and emphasizes the importance of professional conduct and
compliance with laws and regulations, including those related to
consumer protection.
Business line management should have ongoing and effective means to
prevent, detect, and remediate risk management and compliance failures
of business line policies and procedures, as well as policies and
limits established by the firm's senior management. Business line
management should develop processes with indicators and early warning
mechanisms to facilitate timely detection of existent and potential
issues. Business line management should actively supervise employees in
light of the firm's policies and guidelines.
III. Core Principles of Independent Risk Management and Controls
There are three key areas covered in this section: (1) IRM, which
provides an objective, critical assessment of risks and evaluates
whether a firm remains aligned with its stated risk tolerance; (2) a
system of internal control to guide practices, provide appropriate
checks and balances, and confirm quality of operations; and (3)
internal audit, which provides independent assessments of the
effectiveness of the risk management framework and the system of
internal control.
This section is organized as follows:
A. Governance, Independence, and Stature
1. Chief Risk Officer (CRO)
2. Chief Audit Executive (CAE)
B. Independent Risk Management
1. Risk Tolerance and Limits
2. Risk Identification, Measurement, and Assessment
3. Risk Reporting
C. Internal Controls
D. Internal Audit
Except for the roles of the CRO and the CAE, this guidance does not
purport to prescribe in detail the governance structure for a firm's
IRM and controls. Senior management should establish and maintain clear
lines of responsibility and accountability so that activities are
conducted in a manner that satisfies supervisory expectations.
Supervisory expectations related to independent risk management
apply to the U.S. CRO and the U.S. risk committee of an FBO for the
combined U.S. operations in the same manner as these expectations apply
to the CRO and risk committee of a domestic holding company. For an
FBO, the internal audit function for the combined U.S. operations
should have appropriate independent oversight of those.
A. Governance, Independence, and Stature \43\
---------------------------------------------------------------------------
\43\ ``Stature'' refers to the ability and authority to
influence decisions and effect change throughout the organization,
procure resources necessary to carry out responsibilities, escalate
issues as needed to senior management and the board, and observe or
participate on relevant management committees.
---------------------------------------------------------------------------
1. Chief Risk Officer
Principle: The CRO should establish and maintain IRM that is
appropriate for the size, complexity, and risk profile of the firm.
The Board's Regulation YY requires certain firms to have a CRO with
sufficient capability and experience in identifying, assessing, and
managing risk exposures of large, complex
[[Page 1360]]
financial institutions.\44\ To promote the stature and independence of
IRM, the CRO must report directly to the board's risk committee as well
as to the CEO.\45\ The CRO also must provide reports to the board's
risk committee at least quarterly.\46\
---------------------------------------------------------------------------
\44\ 12 CFR 252.33(b); 12 CFR 252.155(b). For an FBO, references
to CRO and risk committee mean the U.S. CRO and U.S. risk committee
required under 12 CFR 252.155.
\45\ 12 CFR 252.33(b)(3)(ii). For an FBO, the U.S. CRO must
report to the U.S. risk committee and the global CRO or equivalent
management official(s) who is responsible for overseeing the
implementation of and compliance with policies and procedures
relating to risk management governance, practices, and risk controls
of the FBO (unless the Federal Reserve approves an alternate
reporting structure). 12 CFR 252.155(b)(3).
\46\ 12 CFR 252.33(a)(3)(v). This requirement does not apply to
the U.S. CRO of an FBO.
---------------------------------------------------------------------------
As part of overseeing IRM, the CRO should guide IRM to establish
and monitor compliance with enterprise-wide risk limits, identify and
aggregate the firm's risks, assess the firm's risk positions relative
to the parameters of the firm's risk tolerance, and provide relevant
risk information to senior management and the board. The CRO should
also oversee communication of the firm's risk limits to the board and
relevant firm management and staff.
The CRO should inform the board if his or her stature,
independence, or authority is not sufficient to provide objective and
independent assessments of the firm's risks, risk management
activities, and system of internal control.\47\ Further, the CRO should
be included in discussions with other senior management and the board
related to key decisions such as strategic planning and capital and
liquidity planning. The CRO should also provide input to the board on
incentive compensation plan design and effectiveness.
---------------------------------------------------------------------------
\47\ Other officers of the firm may oversee portions of
functions involved in risk management and control activities.
---------------------------------------------------------------------------
The CRO should escalate issues to senior management and the board
when activities or practices at the firmwide, risk-specific, and
business-line level do not align with the firm's overall risk
tolerance. For example, the CRO should report concerns to the board's
risk committee if the firm does not have sufficient risk management
capacity to enter into a proposed merger or new product line and
promote the taking of appropriate actions, as warranted. The CRO should
recommend constraints on risk-taking and enhancements to risk
management practices to senior management and the board. The CRO or IRM
should be involved in any proposal to waive or make exceptions to
established risk limits, including on a temporary basis, should provide
an assessment of any such proposal, and should escalate the proposal to
the board of directors as appropriate. The necessary level of approval
within IRM and escalation should be clearly articulated in policies and
procedures and commensurate with the nature of the risk limit.
The CRO should support the independence of IRM from the business
lines by establishing clearly defined roles and responsibilities, and
reporting lines. The CRO should periodically assess whether IRM has
appropriate staffing and systems; sufficient understanding of the risks
and business activities being evaluated; and sufficient authority to
identify and escalate material or persistent risk management and
control deficiencies and to challenge senior management and business
line management when warranted.
2. Chief Audit Executive
Principle: The CAE should have clear roles and responsibilities to
establish and maintain an internal audit function that is appropriate
for the size, complexity and risk profile of the firm.
A firm should have a CAE, appointed by the board, with sufficient
capability, experience, independence and stature to manage the internal
audit function's responsibilities appropriate to the size and
complexity of the firm.\48\ The CAE should effectively manage all
aspects of internal audit work on an ongoing basis, including any
internal audit work that is outsourced. The CAE should have the
authority to oversee all internal audit activities and to hire internal
audit staff with sufficient capability and stature. Under the direction
of the CAE, the internal audit function performs independent
assessments of the effectiveness of the firm's system of internal
control and the risk management framework. The CAE should report
findings, issues, and concerns to the board's audit committee and
senior management.
---------------------------------------------------------------------------
\48\ See SR letter 13-1/CA letter 13-1, ``Supplemental Policy
Statement on the Internal Audit Function and Its Outsourcing.''
---------------------------------------------------------------------------
B. Independent Risk Management \49\
---------------------------------------------------------------------------
\49\ Independent risk management is comprised of a range of risk
management functions. For example, firms should have an independent
compliance risk management function that establishes a firmwide
compliance risk management program and delineates responsibilities
for managing compliance risk. See SR letter 08-08/CA letter 08-11,
``Compliance Risk Management Programs and Oversight at Large Banking
Organizations with Complex Compliance.'' The structure and reporting
lines for such an independent compliance risk management function
may vary across firms.
---------------------------------------------------------------------------
1. Risk Tolerance and Limits
Principle: IRM should evaluate whether the firm's risk tolerance
appropriately captures the firm's material risks and confirm that the
risk tolerance is consistent with the capacity of the risk management
framework.
IRM should provide input into and evaluate the firm's risk
tolerance to ensure that it appropriately captures the firm's material
risks and aligns with the firm's strategy and the corresponding
business activities.\50\ In addition, IRM should evaluate whether the
risk tolerance:
---------------------------------------------------------------------------
\50\ The development and ongoing update of a firm's risk
tolerance is an iterative process, meaning that several parties
provide input on a continual basis. IRM's input into and evaluation
of the risk tolerance should fit into this overall process and may
occur at several different stages.
---------------------------------------------------------------------------
Addresses risks under normal and stressed conditions and
considers changes in the risk environment;
Includes risks associated with the firm's revenue
generating activities, as well as other aspects of risks inherent to
the business, such as compliance, information technology, and
cybersecurity;
Incorporates realistic risk and reward assumptions that,
for example, do not overestimate expected returns from business
activities or underestimate risks associated with business activities;
and
Guides the firm's risk-taking and risk mitigation
activities.
IRM should determine whether the firm's risk profile is consistent
with the firm's risk tolerance and assess whether the firm's risk
management framework has the capacity to manage the risks outlined in
the risk tolerance. Specifically, IRM should determine whether there
are sufficient resources and infrastructure in the relevant areas of
the firm to properly identify, manage, and report the risks associated
with the business strategies outlined in the risk tolerance, including
during stressful or unanticipated conditions.
Principle: IRM should establish enterprise-wide risk limits consistent
with the firm's risk tolerance and monitor adherence to such limits.
Under direction of the CRO, IRM should establish enterprise-wide
risk limits that are consistent with the firm's risk tolerance for the
firm's full set of risks, including risks associated with revenue
generating activities and those inherent to the business. Risk limits
should be assigned to specific risk types, business lines, legal
entities, jurisdictions, geographic areas, concentrations, products or
activities,
[[Page 1361]]
commensurate with the firm's risk profile. For example, risk limits can
cover single counterparty credit exposures, funding concentrations,
country exposures, or subprime lending activities. Risk limits should
be clear, relevant, and current. IRM should create lower-level risk
limits, such as for an individual business line, based on the
enterprise-wide risk limits.
Risk limits should be quantitative and qualitative. For instance,
quantitative limits can be set relative to earnings, assets,
liabilities, capital, liquidity, or other relevant benchmarks. IRM
should set qualitative limits--such as an expert assessment to
constrain business in a given country--as a proxy for risks or aspects
of risks that are more difficult to quantify. Risk limits should
include explicit thresholds that, if crossed, strictly prohibit the
activity generating the risk.
To the extent possible, risk limits should:
Consider the range of possible external conditions facing
the firm over a period of time;
Consider the aggregation and interaction of risks across
the firm;
Be consistent with the firm's financial resources, such as
available capital and liquidity, as well as with non-financial aspects,
such as managerial, technological, and operational resources; and
Reinforce compliance with laws and regulations, including
those related to consumer protection, and consistency with supervisory
expectations.
IRM should monitor and update risk limits as appropriate,
especially as the firm's risk tolerance is updated, the firm's risk
profile changes, or external conditions change. IRM should also
identify significant trends in risk levels to evaluate whether risk-
taking and risk management practices are consistent with the firm's
strategic objectives. IRM should escalate to senior management any
material breaches of the firm's enterprise-wide risk limits and risk
tolerance, as well as instances where IRM's conclusions differ from the
conclusions of a business line.
2. Risk Identification, Measurement, and Assessment
Principle: IRM should identify and measure the firm's risks.
IRM's activities are conducted in addition to business line risk
management activities described above and should provide an objective,
critical perspective of a firm's risks. IRM should identify and measure
current and emerging risks within and across business lines and risk
types, as well as any other relevant perspectives, such as by legal
entity or jurisdiction. Where it is difficult to assess risks
quantitatively, IRM should still assess the impact of those risks, such
as through qualitative means. IRM should conduct its risk
identification and measurement work on an ongoing basis to reflect any
changes in exposures, business activities, and the broader operating
environment, including changes in law and supervisory expectations.
IRM should identify risk types, including credit, market,
operational, liquidity, interest rate, legal, compliance and related
risks (such as consumer protection and Bank Secrecy Act/anti-money
laundering). IRM should establish minimum internal standards for all of
its risk identification and measurement practices to ensure consistent
quality across different risks. IRM's standards should include both
quantitative and qualitative elements, with the latter especially
important for risks or aspects of risks that are more difficult to
quantify. The standards at a firm should be dynamic, inclusive, and
comprehensive.
To conduct effective risk identification and measurement, IRM
should have access to timely, reliable, and comprehensive information
about all risk-related exposures and activities in the firm. This
should include emerging or potential sources of risk. IRM should seek
input across the firm in identifying risks. IRM may utilize information
collected or used from business lines; however, IRM should not rely on
business line information exclusively. IRM staff should also draw upon
external information, such as peer data or market information, to
supplement their assessments.
IRM should regularly measure identified risks under both normal and
stressful operating conditions. In measuring risks, IRM should consider
the size and risk characteristics of the firm's exposures and business
activities. Within each risk type, IRM should rely on a range of
metrics and use measures appropriate to different risk types.
Principle: IRM should aggregate risks and provide an independent
assessment of the firm's risk profile.
IRM should aggregate risks across the entire firm and assess those
risks relative to the firm's risk tolerance.\51\ IRM should identify
material or critical concentrations of risks and assess the likelihood
and potential impact of those risks on the firm. Further, IRM should
identify activities or exposures that have related risk factors and
assess the combined impact of those risk factors on the firm. IRM
should assess risk information along different meaningful dimensions at
a more granular level than firmwide, such as by business line,
geographic regions, obligors, counterparties, and products, to
determine how those impact the firm's risk profile.
---------------------------------------------------------------------------
\51\ For example, IRM should be able to aggregate all retail
credit risk across the firm's different consumer business lines
(such as credit cards, residential mortgages, and auto lending).
---------------------------------------------------------------------------
IRM should conduct risk assessments using information from risk
identification, measurement, and aggregation to determine the impact of
risks on the firm and to inform senior management and the board about
the suitability of risk positions relative to risk limits and the risk
tolerance. IRM should assess risks and risk drivers within and across
business lines and risk types, as well as any other material
perspectives, such as by legal entity or jurisdiction. Further, IRM
should analyze any assumptions related to risk diversification. IRM
also should assess risk mitigation strategies, including the
effectiveness of such mitigation in a range of circumstances, and
recommend alternatives if concerns arise.
IRM should identify information gaps, uncertainties, and
limitations in risk assessments for senior management, and as
appropriate, for the board. For instance, in analyzing a new product
area or business line, IRM should acknowledge areas of insufficient
information that limit a complete assessment of the risks and provide a
measured implementation plan to obtain the necessary information.
3. Risk Reporting
Principle: IRM should provide the board and senior management with risk
reports that accurately and concisely convey relevant, material risk
data and assessments in a timely manner.
Risk reporting should be comprehensive, useful, accurate, and
timely. Risk reporting should cover current and emerging risk and
adherence to risk limits and risk concentrations as well as the firm's
ongoing strategic, capital, and liquidity planning processes. Risk
reporting should enable prompt escalation and remediation of material
problems; enhance appropriate and timely responses to identified
problems; provide current and forward-looking perspectives; and support
or influence strategic decision-making. Risk reporting should provide
information on aggregate risks within and across business lines and
risk types, as well as by legal entity or jurisdiction and significant
concentrations.
Risk reporting should be tailored to meet the differing information
needs of
[[Page 1362]]
the board, senior management, and others within the firm. The frequency
of reporting should depend on needs of the firm and the materiality of
the issues. Risk reporting should adapt to market downturns or stress
events.
C. Internal Controls
Principle: A firm should identify its system of internal control and
demonstrate that it is commensurate with the firm's size, scope of
operations, activities, risk profile, strategy, and risk tolerance, and
consistent with all applicable laws and regulations, including those
related to consumer protection.
Internal controls cover a wide range of activities and processes,
and could include the following: \52\
---------------------------------------------------------------------------
\52\ See SR letter 03-5, ``Amended Interagency Guidance on the
Internal Audit Function and its Outsourcing.''
---------------------------------------------------------------------------
Policies and procedures that set expectations for and
govern the firm's business activities and support functions; establish
appropriate levels of authority, responsibility, and accountability for
overseeing and executing the firm's activities; and establish standards
for prudent risk-taking behaviors.
Clear assignment of roles and responsibilities and
appropriate separation of duties.
Physical controls for restricting access to tangible
assets.
Approvals and appropriate dual authorizations for key
decisions, transactions, and execution of processes.
Verifications of transaction details and periodic
reconciliations, such as those comparing cash flows to account records
and statements.
Access controls, change management controls, data entry
and related controls.
Escalation procedures with a system of checks and balances
in situations that allow for managerial or employee discretion.
Internal controls instill confidence in financial reporting and are
important to ensure the integrity of the process and information relied
upon by the firm to manage itself. Developing and maintaining an
effective system of internal control is the responsibility of several
parties, including business line management.\53\ Accordingly, a firm
should assign management responsibilities for the establishment and
maintenance of internal controls. To foster an appropriate control
culture within the firm, adequate control activities should be
integrated into the daily functions of all relevant personnel. All
personnel should fully understand and adhere to policies and procedures
affecting their duties and responsibilities.
---------------------------------------------------------------------------
\53\ As described below, the internal audit function should
examine, evaluate, and perform an independent assessment of the
firm's internal control system.
Principle: A firm should regularly evaluate and test the effectiveness
of internal controls, and monitor functioning of controls so that
---------------------------------------------------------------------------
deficiencies are identified and communicated in a timely manner.
A firm should have mechanisms to test its system of internal
control and to identify and escalate issues that appear to compromise
its effectiveness. A firm should regularly evaluate and test the
quality, reliability and effectiveness of internal controls, and
monitor any potential deterioration. Generally, testing activities are
conducted at specific points in time, whereas monitoring activities are
continuous processes. The scope, frequency, and depth of testing should
consider the complexity of the firm, the results of the firm's risk
assessments, and the number and significance of the deficiencies
identified during prior testing. A firm should test and monitor
internal controls using a risk-based approach, prioritizing efforts on
controls in areas of highest risk and less effective controls.
A firm should evaluate and communicate internal control
deficiencies in a timely manner to those parties responsible for taking
corrective action, including senior management. Firms should establish
management information systems that track internal control weaknesses
and escalate serious matters to the board, senior management, and
responsible business line management, as appropriate.
D. Internal Audit
Principle: The internal audit function should examine, evaluate, and
perform independent assessments of the firm's risk management and
internal control systems and report findings to senior management and
the firm's audit committee.
An effective internal audit function provides independent assurance
to the board and senior management concerning the effectiveness of risk
management and internal control systems. The Federal Reserve issued
guidance outlining the key components of an effective internal audit
function in SR letter 03-5, and followed that with supplemental
guidance in SR letter 13-1/CA letter 13-1, ``Supplemental Policy
Statement on the Internal Audit Function and Its Outsourcing.'' The
supplemental guidance builds upon the 2003 interagency guidance of SR
letter 03-5 and further addresses the characteristics, governance, and
operational effectiveness of a firm's internal audit function. That
existing audit guidance remains in place and is not superseded by this
guidance.
By order of the Board of Governors of the Federal Reserve
System, January 5, 2018.
Ann E. Misback,
Secretary of the Board.
[FR Doc. 2018-00294 Filed 1-10-18; 8:45 am]
BILLING CODE P
